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Real-time  systems  are  appearing  in  more  and  more  applications  where  their  proper  operation  is 
critical,  e.g.  transport  controllers  and  medical  equipment.  However  they  are  extremely  <^cult  to  design 
correctly.  One  approach  to  this  problem  is  the  use  of  formal  description  techniques  and  automatic 
verification.  Unfortunately  automatic  verification  suffers  from  the  state-explosion  problem  even  without 
considering  timing  information.  This  thesis  proposes  a  state-based  approximation  scheme  as  a  heuristic 
for  efficient  yet  accurate  verification. 

We  first  describe  a  generic  iterative  approximation  algorithm  for  checking  safety  properties  of  a 
transition  system.  Successively  more  accurate  approximations  of  the  reachable  states  are  generated  until 
the  specification  is  provably  satisfied  or  not.  The  algorithm  automatically  decides  where  the  analysis 
needs  to  be  more  exact,  and  uses  state  partitioning  to  force  the  approximations  to  converge  towards  a 
solution.  The  method  is  complete  for  finite-state  systems. 

The  algorithm  is  applied  to  systems  with  hard  real-time  boimds.  State  approximations  are  performed 
over  both  timing  information  and  control  information.  We  also  approximate  the  system’s  transition 
structure.  Case  studies  include  some  timing  properties  of  the  MAC  sublayer  of  the  Ethernet  protocol,  the 
tick-tock  service  protocol,  and  a  timing-beised  communication  protocol  where  the  sender’s  and  receiver’s 
clocks  advance  at  variable  rates. 
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Abstract 


Real-time  systems  are  appearing  in  more  and  more  applications  where  their  proper 
operation  is  critical,  e.g.  transport  controllers  and  medical  equipment.  However  they 
are  extremely  difficult  to  design  correctly:  one  must  consider  the  sequencing  and  co¬ 
ordination  of  events  in  concurrent  processes,  as  well  as  the  times  they  occur.  One 
approach  to  this  problem  is  the  use  of  formal  description  techniques  and  automatic 
verification.  Unfortunately  automatic  verification  suffers  from  the  state-explosion 
problem  and  is  computationally  expensive  even  without  real-time.  The  addition  of 
timing  information  makes  the  problem  much  harder.  This  thesis  proposes  a  state- 
based  approximation  scheme  as  a  heuristic  for  reducing  the  effort  required  in  verifi¬ 
cation. 

We  first  describe  a  generic  iterative  approximation  algorithm  for  checking  safety 
properties  of  a  transition  system.  It  exploits  the  fact  that  not  all  the  details  of  a  system 
need  be  considered  to  prove  it  correct.  Successively  more  accurate  approximations  of 
the  reachable  states  are  generated  until  it  can  be  determined  whether  the  specification 
is  satisfied  or  not.  The  algorithm  automatically  decides  where  the  analysis  needs  to 
be  more  exact,  and  uses  state  partitioning  to  force  the  approximations  to  converge 
towards  a  solution.  In  the  case  of  finite-state  systems,  the  method  is  complete. 

The  algorithm  is  used  to  verify  that  systems  with  hard  real-time  bounds  sat¬ 
isfy  timed  safety  properties.  State  approximations  are  performed  over  both  timing 
information  and  control  information.  We  also  approximate  the  system’s  transition 
structure.  Case  studies  include  some  timing  properties  of  the  MAC  sublayer  of  the 
Ethernet  protocol,  the  tick-tock  service  protocol,  and  a  timing-based  communication 
protocol  where  the  sender’s  and  receiver’s  clocks  advance  at  variable  rates. 
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Chapter  1 
Introduction 


1.1  Motivation 


Many  computer-related  systems  are  time-critical:  they  may  depend  on  timing  infor¬ 
mation  for  their  correct  operation,  or  their  specifications  may  require  certain  tasks 
to  be  performed  within  specific  time  bounds.  Typical  examples  include  embedded 
systems,  communication  protocols,  and  transportation  controllers.  In  many  of  these 
applications,  correct  operation  is  imperative.  Failures  may  result  in  financial  disaster, 
system  shut-downs,  physical  harm,  or  in  some  cases  even  the  loss  of  lives.  However,  it 
is  generally  accepted  that  it  is  a  difficult  task  to  specify  and  reason  about  the  timing 
behavior  of  concurrent  systems.  It  is  easy  for  an  ad  hoc  analysis,  or  even  extensive 
simulation,  to  miss  crucial  cases  which  lead  to  errors. 

One  approach  to  this  problem  is  to  develop  mathematically  formal  methods  for 
system  verification.  The  idea  is  to  be  able  to  prove  that  the  system  is  correct  rather 
than  to  assume  it  is  because  no  bugs  have  been  discovered  so  far.  In  this  framework, 
a  potential  system  implementation  can  be  modeled  formally  and  analyzed  against  a 
specification  early  in  the  design  cycle.  Logical  design  bugs  can  be  removed  before 
they  percolate  down  to  lower  levels  of  implementation.  As  an  implementation  is  re¬ 
fined,  it  can  be  verified  against  its  higher-level  description.  The  major  drawback  of 
this  approach  is  that  formal  specifications  quickly  become  too  complex  to  analyze 
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manually  as  the  size  of  the  system  increases.  With  today’s  computer-based  applica¬ 
tions  growing  ever  larger  and  larger,  there  is  a  need  for  computer  assistance  in  the 
verification  process.  Indeed  one  strategy  is  to  use  a  fully  automatic  verification  tech¬ 
nique.  Here,  the  user  supplies  a  verification  tool  with  a  formal  system  description 
and  a  specification  for  it,  and  then  waits  for  the  verifier  to  check,  Avithout  any  further 
human  assistance,  whether  the  system  is  correct  or  not. 

Up  until  recently,  verification  methodologies  had  abstracted  away  the  times  at 
which  events  occur,  and  concentrated  on  the  logical  sequencing  of  actions.  While 
such  an  abstraction  is  often  useful,  it  is  clearly  not  acceptable  when  the  specification 
includes  timing  properties.  Over  the  last  few  years,  numerous  formalisms  have  been 
proposed  for  describing  the  real-time  behavior  of  concurrent  systems,  by  either  ex¬ 
tending  existing  techniques  or  developing  whole  new  theories.  Indeed,  the  automatic 
verification  problem  for  some  classes  of  finite-state  real-time  systems  has  been  solved, 
in  theory  [Dil89,  AH89,  AD90,  Lew90,  ACD90,  LV92,  HNSY92].  In  many  cases,  there 
are  known  algorithms  that  are  theoretically  optimal  in  the  worst  case.  However,  from 
a  practical  standpoint,  these  algorithms  are  computationally  infeasible  on  realistic 
examples.  They  have  to  deal  with  an  extremely  large  number  of  reachable  states, 
as  well  as  taking  into  account  the  times  at  which  they  are  reached.  Algorithms  are 
typically  exponential  in  the  size  of  the  untimed  part  of  the  system  description,  and 
also  exponential  in  the  system’s  timing  information.  So  while  a  verification  engi¬ 
neer  has  a  large  choice  of  models  to  describe  her  system  formally,  she  is  left  with  no 
practical  tools  to  verify  the  system  is  correct.  Our  goal  is  to  address  this  shortcom¬ 
ing  by  using  heuristic  techniques  to  make  automatic  verification  of  real-time  systems 
computationally  feasible. 


1.2  Approximation 

This  thesis  describes  an  efficient  automatic  approximation  scheme  which  has  been 
applied  to  the  verification  of  timed  safety  properties.  It  is  based  on  the  observation 
that  usually  not  all  of  a  real-time  system’s  timing  information  is  necessary  to  establish 
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its  correctness.  The  basic  idea  is  perform  symbolic  simulation  of  the  system’s  execu¬ 
tion  traces  while  simultaneously  checking  whether  they  violate  the  specification.  The 
simulation  however  is  only  approximate.  The  set  of  reachable  states  is  approximated 
from  above  and  from  below.  If  the  overapproximation  contains  no  violating  states, 
i.e.  states  where  an  error  has  been  detected,  the  system  is  successfully  verified.  If  the 
underapproximation  contains  violating  states,  the  system  is  not  correct. 

Taking  approximations  instead  of  computing  the  exact  set  of  reachable  states  can 
be  computationally  advantageous.  Firstly,  the  size  of  the  symbolic  approximation 
may  be  far  smaller  than  the  representation  of  the  exactly  reachable  states.  Secondly, 
the  time  required  to  generate  an  approximation  may  be  less  than  for  performing 
precise  reachability  analysis. 

Approximation,  however,  is  not  always  accurate  enough  to  determine  whether  the 
system  satisfies  its  specification.  There  is  the  possibility  of  false  negatives  (if  the 
overapproximation  contains  violating  states,  these  may  or  may  not  be  truly  reachable 
states  of  the  system)  and  false  positives  (the  underapproximation  may  not  include 
violating  states  which  are  reachable).  Thus  the  result  from  approximating  may  be 
inconclusive. 

Our  algorithm  tackles  this  problem  by  iteratively  refining  the  approximations  so 
that  they  converge  towards  the  truly  reachable  states.  It  is  complete  for  finite-state 
systems,  in  that  it  always  decides  exactly  whether  the  system  is  correct.  We  also 
prove  completeness  for  the  class  of  real-time  systems  we  verify. 

The  key  idea  behind  the  iterative  scheme  is  to  limit  where  approximations  are 
taken.  This  is  achieved  by  partitioning  the  state-space  into  different  regions,  where 
states  in  the  same  region  are  believed  to  behave  similarly.  Approximation  of  reachable 
states  is  carried  out  within  each  region.  When  it  is  discovered  that  states  in  the  same 
region  have  sufficiently  different  outgoing  behaviors,  the  partitioning  is  refined.  This 
successive  refinement  leads  to  progressively  more  accurate  approximations. 
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1 . 3  Contributions 


The  main  contributions  of  this  thesis  are  a  generic  framework  for  iterative  approxi¬ 
mations  for  safety  verification,  an  efficient  approximation  algorithm  for  real-time  sys¬ 
tems,  and  the  demonstrated  automatic  verification  of  non-trivial  real-time  systems, 
including  a  model  of  real-time  systems  with  skewed  clocks. 

The  iterative  algorithm  proposed  in  this  thesis  solves  the  safety  verification  prob¬ 
lem.  It  is  flexible  enough  to  apply  to  many  different  problem  domains.  At  the 
barest  level,  the  algorithm  designer  needs  to  provide  a  symbolic  system  representa¬ 
tion,  including  set  representations  and  next-state  operators,  and  two  approximating 
operators.  If  desired,  he  can  also  add  any  number  of  his  own  heuristics  to  speed 
convergence. 

The  algorithm  itself  uses  dynamic  refinement  of  approximations,  rather  than  stat¬ 
ically  determined  convergence.  This  means  that  it  attempts  to  determine  automat¬ 
ically  which  parts  of  the  state-space  need  to  be  analyzed  more  carefully,  and  where 
approximations  can  be  more  liberal.  It  is  easily  parameterizable  to  begin  approxi¬ 
mating  as  finely  or  loosely  as  desired.  There  is  a  limited  capacity  for  user-supplied 
information  to  be  exploited,  by  instructing  the  program  where  to  start  approximating 
more  aggressively.  Both  backwards  and  forwards  reachability  information  is  utilized, 
whereas  most  verification  methodologies  choose  one  direction  only.  This  is  possible 
since  we  can  take  a  quick  analysis  in  one  direction,  and  then  combine  that  with  in¬ 
formation  from  the  other,  rather  than  being  bogged  down  in  an  exact  analysis  in 
only  one  direction,  or  attempting  to  compute  exact  reachability  in  both  directions 
at  the  same  time.  While  the  main  algorithm  is  based  on  state  approximations,  the 
theory  also  allows  next-state  relations  to  be  approximated.  The  algorithm  is  shown 
to  terminate  over  finite-state  systems. 

The  algorithm  is  applied  to  real-time  verification,  using  both  state  approximations 
and  transition  relation  approximations.  Our  method  is  the  first  to  benefit  substan¬ 
tially  from  combining  symbolic  representations  of  control  information  and  timing 
information.  We  also  provide  a  natural  and  efficient  handling  of  urgency  semantics, 
where  urgent  events  are  events  which  must  take  place  as  soon  as  they  are  enabled. 
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We  use  our  tool  to  automatically  verify  several  non-trivial  real-time  systems.  We 
verify  some  timing  properties  of  an  abstracted  Ethernet  MAC  sublayer  protocol.  We 
also  introduce  a  new  subclass  of  linear  hybrid  automata  that  models  systems  where 
clocks  advance  at  variable  linearly-bounded  rates.  Using  this  model,  we  verify  a  re¬ 
cently  published  audio  control  protocol  which  uses  Manchester-encoded  bit  streams. 
Communication  is  between  processes  which  have  a  fixed  error  tolerance  in  their  clock 
speeds.  We  automatically  prove  that  for  arbitrary  length  messages,  all  bits  are  re¬ 
ceived  correctly  and  in  a  timely  fashion.  The  performance  of  our  tool  compares  favor¬ 
ably  to  the  symbolic  real-time  verifier  Kronos  developed  by  Sifakis  et  al  [NSY92a]  at 
VERIMAG,  France.  Finally  we  describe  our  experience  with  developing  verification 
methodologies  for  real-time  systems. 


1.4  Real-time  systems 

Recently  there  have  been  many  formal  description  techniques  proposed  for  describing 
real-time  systems  and  their  timing  properties.  We  outline  the  model  we  use  (timed 
safety  automata  [NSY92a]),  and  then  compare  it  briefly  with  other  approaches.  Our 
concern  is  not  so  much  with  a  specification  technique  as  the  algorithm  required  to 
verify  correctness,  so  we  concentrate  more  on  the  formalisms  that  lend  themselves  to 
automatic  verification. 

Discrete  vs  continuous  time 

A  major  dividing  line  in  the  methods  is  how  they  model  time,  as  either  a  discrete 
entity,  or  as  continuous.  In  a  discrete  time  framework,  events  occur  only  at  discrete 
clock  ticks.  In  the  continuous  time  model,  events  may  occur  at  any  real- valued  time. 
The  main  advantages  and  disadvantages  of  each  approach  are  listed  below. 

•  discrete:  In  this  framework,  it  is  easy  to  incorporate  time  into  many  existing  un¬ 
timed  models,  specification  languages,  and  implementations.  A  discrete  notion 
of  time  is  accurate  for  some  classes  of  processes,  such  as  synchronous  hardware. 
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•  continuous:  The  continuous  time  model  is  more  natural  and  accurate,  especially 
since  it  can  be  shown  that  in  some  cases  the  time  domain  cannot  be  discretized 
suiRciently  finely  for  an  accurate  semantics  [Alu91].  However  introducing  con¬ 
tinuous  time  involves  new  models,  more  complex  semantics,  and  more  complex 
reasoning. 

Timed  safety  automata  operate  in  continuous  time.  We  later  show  that  the  savings 
due  to  performing  discrete  computation  may  be  minimal  compared  to  continuous, 
since  there  are  no  known  symbolic  methods  for  discrete  time  which  outperform  those 
for  continuous  time  models. 

1.4.1  Timed  safety  automata 

We  use  timed  safety  automata  (TSAs)  to  describe  real-time  systems  and  their  specifi¬ 
cations  [HNSY92,  NSY92a].  They  operate  with  finite-state  control.  Time  is  modeled 
through  the  addition  of  a  finite  set  of  fictitious  clocks  [AD90,  AH94].  Each  clock 
records  the  exact  time  which  has  elapsed  since  its  last  reset.  Timing  conditions  are 
expressed  by  constraints  on  when  events  may  occur.  Following  the  introduction  of 
timed  automata  by  Alur  and  Dill  [AD90]  there  have  been  many  variants  described 
in  the  literature.  The  particular  version  we  use  is  taken  from  Nicollin  et  al  [NSY92a] 
and  augmented  with  urgency  semantics.  Local  progress  is  enforced  by  constraining 
the  amount  of  time  which  can  pass  while  control  rests  in  a  location.  However,  these 
automata  have  no  means  of  expressing  unbounded  fairness  information. 

1.4.2  Other  formalisms 
Real-time  logics 

Temporal  logics  [Pnu77,  Pnu86,  CES83]  have  met  wide  success  in  reasoning  about 
untimed  reactive  systems.  Naturally,  these  logics  are  a  good  starting  point  for  devel¬ 
oping  logics  that  can  reason  directly  about  a  system’s  timed  behaviors.  Properties 
are  expressed  using  formulas  such  as  “p  <><39”  to  mean  that  when  p  is  true, 
q  will  eventually  be  true  within  3  time  units.  See  [AH92]  for  a  excellent  survey 
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of  logics  for  real  time.  Of  the  logics  interpreted  over  dense  models,  only  MITL  of 
Alur  et  al  [AFH91]  is  known  to  be  decidable.  A  number  of  decidable  logics  use  a 
fictitious  clock  as  a  global  integer  variable  to  record  the  current  time,  for  instance 
RTTL  [Ost92],  XCTL  [HLP90],  and  RTCTL  [EMSS89].  Essentially  all  discrete  time 
extensions  to  decidable  logics  are  decidable. 

Process  eJgebras 

A  process  algebra  is  a  calculus  with  operations  for  building  more  complex  processes 
from  simple  ones  [Mil80,  Hoa85].  Typically  the  simplest  processes  are  single  events, 
and  there  are  operations  for  sequential  composition,  parallel  composition,  hiding  of 
events,  synchronization,  and  non-deterministic  choice.  Algebraic  laws  state  that  some 
processes  are  equal  to  others;  for  example,  the  choice  operator  may  be  commutative. 
Time  is  usually  introduced  into  a  process  algebra  through  a  mechanism  to  explicitly 
model  the  passing  of  time.  It  is  may  be  in  the  form  of  a  unary  delay  operator  [Yi90] 
or  a  special  process.  For  example  “A{t).P”  may  be  used  to  represent  the  process 
which  delays  for  t  time  units  and  then  behaves  like  P.  There  may  also  be  other 
operators  such  as  a  timeout  operator,  which  states  that  a  process  executes  for  some 
fixed  amount  of  time  and  then  behaves  like  another.  Examples  of  such  timed  process 
algebras  are  Timed  CSP  [RR88],  TCCS  [Yi90],  and  ATP  [NSV90]. 

Duration  calculus 

The  calculus  of  durations  [CHR91]  is  an  extension  to  interval  temporal  logic  which 
allows  reasoning  about  the  durations  of  states  within  an  interval,  without  explicit 
mention  of  absolute  time.  A  duration  formula  J  P  =  5  is  true  for  an  interval  J  when 
fjP  =  5,  and  the  formula  f  P  <  20  f  Q  intuitively  means  that  Q  holds  over  the 
interval  at  least  1/20  of  the  time  that  P  holds.  In  addition  to  the  usual  boolean 
operations  on  formulas,  there  is  a  chop  operation  denoted  (Di;  D2)  which  is  true  over 
an  interval  whenever  it  can  be  partitioned  into  two  consecutive  parts,  the  first  of  which 
satisfies  Di  while  the  second  satisfies  £>2.  Formulas  may  be  interpreted  over  discrete 
time  or  continuous  time.  In  general,  the  calculus  is  undecidable.  However,  Chaochen 
et  al  [CHS93]  have  identified  decidable  fragments;  allowing  only  primitive  formulas 
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of  the  form  [P],  which  assert  that  P  holds  almost  everywhere  over  an  interval,  is 
decidable  for  both  the  dense  time  and  discrete  time  versions,  and  admitting  formulas 
I  =  k,  which  express  that  the  interval  is  of  length  k,  maintains  decidability  for  the 
discrete  time  calculus  only. 

Other  state  based  approaches 

Lewis’  state-diagrams  [Lew90]  are  very  similar  to  timed  automata.  The  enabling 
conditions  on  transitions  are  based  on  delays  between  pairs  of  events,  rather  than 
delays  since  individual  events  occurred.  The  primary  advantage  of  timed  automata 
is  that  they  have  a  simpler  definition  and  semantics. 

Ostroff’s  timed  transition  machines  (TTMs)  [Ost92]  and  the  timed  transition  sys¬ 
tems  of  Henzinger  et  al  [Hen91]  are  timed  extensions  of  Manna  and  Pnueli’s  fair 
transition  systems.  Each  transition  is  associated  with  a  lower  time  bound  and  an  up¬ 
per  bound.  An  execution  is  timing  consistent  if  every  transition  which  fires  has  been 
continuously  enabled  no  less  than  its  lower  time  bound  and  no  more  than  its  upper 
bound,  and  no  transition  is  continuously  enabled  for  longer  than  its  upper  bound 
without  firing.  Timed  I/O  automata  [LA90]  correspond  to  the  analogous  extension 
to  I/O  automata.  The  finite-state  versions  of  all  these  machines  can  be  modeled  by 
timed  safety  automata,  except  that  unbounded  fairness  cannot  be  expressed,  nor  is 
there  any  structure  to  model  the  input/output  events  of  timed  I/O  automata.  How¬ 
ever,  it  should  be  noted  that  all  timing  aspects  of  these  transition  systems  can  be 
captured. 

Various  real-time  extensions  have  been  proposed  for  Petri  nets.  Time  bounds 
may  be  placed  on  the  lives  of  tokens  [Van93]  or  enabled  transitions  [MF76],  or  delays 
may  be  associated  with  transitions  [Ram74].  Again,  timed  automata  are  generally  as 
expressive  as  all  the  finite-state  versions  of  these  nets. 

There  are  other  state-based  formalisms  which  allow  more  general  modeling  of  real¬ 
time  systems.  Hybrid  systems  model  finite-state  systems  augmented  with  continuous 
variables  that  evolve  according  to  differential  equations.  They  can  be  used  to  model 
skewed  clocks,  drifting  clocks,  and  interrupted  clocks,  as  well  as  analog  variables  such 
as  pressure  and  temperature. 
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We  choose  to  use  timed  automata  because  of  their  simplicity,  expressiveness,  and 
algorithmic  solutions  to  verification  problems.  Many  other  formalisms  are  no  more 
expressive  (at  least  not  as  far  as  representing  timing  information)  and  can  be  compiled 
into  timed  automata,  or  they  have  undecidable  verification  problems. 

1.4.3  Verification 

We  briefly  survey  the  verification  techniques  associated  with  the  formalisms  above. 
Most  algorithmic  verification  is  no  easier  than  verification  using  timed  automata.  In 
fact,  many  of  the  verification  problems  which  have  algorithmic  solutions  can  be  solved 
by  the  same  techniques  required  for  verifying  timed  automata.  Therefore  we  consider 
the  practical  verification  of  timed  automata  a  major  issue  in  real-time  verification. 

Timed  automata 

Alur  et  al  [AD90,  ACD90]  show  how  timed  automata  may  be  analyzed  by  first  con¬ 
structing  a  finite  quotient  graph  called  a  regions  graph.  Its  equivalence  classes  are  in 
some  sense  a  bisimulation  of  the  system’s  states.  Typically  an  analysis  problem  for  a 
timed  automaton  is  reduced  to  its  untimed  counterpart  over  the  regions  graph.  The 
finiteness  of  the  regions  graph  allows  numerous  analysis  problems  to  be  solved,  includ¬ 
ing  bisimulation  equivalence,  automata  emptiness,  model-checking  of  TCTL  formulae, 
reachability,  and  controller  synthesis  [Cer93,  ACD90,  HNSY92,  CY92,  WTH91].  Un¬ 
fortunately,  the  regions  graph  is  exponential  in  the  number  of  time-keeping  elements 
in  the  system,  and  also  in  the  size  of  the  timing  constants  used.  The  main  problem 
which  this  thesis  tackles  is  reachability,  which  is  known  to  be  PSPACE-complete. 
This  exponential  blow-up  makes  automatic  verification  of  real-time  systems  particu¬ 
larly  challenging.  Previous  approaches  to  tackle  this  state-explosion  are  described  in 
the  next  section. 

Logics 

One  way  logics  can  be  used  to  verify  timed  systems  is  by  proving  the  validity  of 
the  formula  4>  tp,  where  <p  defines  the  system  and  ip  its  specification.  However 
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most  temporal  logics  over  dense  models  are  undecidable.  For  the  decidable  logics,  the 
complexity  of  the  decision  procedure  is  typically  one  exponential  more  than  for  its 
untimed  version  -  the  same  blow-up  we  encounter  moving  from  untimed  automata  to 
timed  automata.  Furthermore  there  has  been  no  work  that  we  know  of  for  developing 
heuristic  decision  procedures  for  these  logics. 

Model-checking  is  an  alternative  verification  method  where  the  system  is  given 
as  a  proposed  model  to  be  checked  against  the  logical  specification.  For  some  logics 
the  complexity  of  model-checking  is  better  than  for  validity,  and  in  the  cases  of 
XCTL  [HLP90]  and  TCTL  [ACD90]  it  is  PSPACE-complete.  It  is  in  theory  then  no 
easier  than  reachability  of  timed  automata. 

Temporal  proof  systems  may  also  be  used  to  establish  the  validity  of  temporal 
formulae.  However  our  main  interest  here  is  in  automatic  methods,  rather  than 
human-generated  proofs. 


Process  algebras 

Correctness  of  process  algebras  is  usually  defined  in  terms  of  a  process  equivalence 
(where  processes  have  similar  behavior  according  to  some  criterion  such  as  observable 
traces)  or  preorder  (where  an  implementation  is  intended  to  refine  a  specification). 
Verification  consists  of  either  constructing  proofs  using  the  algebraic  laws  associated 
with  the  operators,  or  by  compiling  process  algebraic  terms  into  graphs  which  are 
then  tested  for  equivalence  or  simulation  preorders.  For  timed  process  algebras,  the 
graphs  for  the  algebraic  terms  are  essentially  timed  automata  [Cer93,  NSY92b].  So 
yet  again,  verification  reduces  to  analysis  of  timed  automata. 


Duration  calculus 

For  some  restricted  subclasses  of  the  duration  calculus,  the  sets  of  satisfying  behaviors 
are  regular  sets  [CHS93].  Skakkebaek  et  al  [SS93]  discuss  a  verification  strategy  and 
implementation  based  on  converting  duration  calculus  formulas  into  regular  expres¬ 
sions  and  checking  for  emptiness. 
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Petri  nets 

The  usual  way  Petri  nets  are  used  for  verification  is  by  performing  a  reachability 
analysis  and  testing  for  whether  a  marked  place  is  reached.  The  Petri  net  formalism 
of  Rokicki  [Rok93]  models  timed  circuits  and  uses  a  notion  of  conformance  as  its 
correctness  criterion.  Again,  the  finite-state  versions  of  these  nets  {i.e.  those  with 
a  bounded  number  of  markings,  or  k-sale),  could  be  analyzed  by  the  same  reacha¬ 
bility  techniques  used  for  timed  automata.  However  more  direct  methods  have  been 
advocated,  and  are  described  in  the  next  section. 


Other  state-based  approaches 

Timed  transition  systems  are  proven  correct  by  using  a  temporal  proof  system.  Lynch 
et  al  [LA90,  LV92]  study  the  use  of  mappings  and  simulations  between  timed  I/O 
automata  to  establish  that  one  implements  another.  Neither  of  these  two  approaches 
is  designed  for  automatic  verification. 


1.5  Related  work 

We  describe  previous  attempts  at  tackling  the  state-space  explosion  encountered 
when  verifying  real-time  systems.  Most  closely  related  are  other  approximation 
methodologies  designed  specifically  for  real-time  systems  [AIKY93,  BSV93].  Other 
approaches  directly  using  the  timed  automaton  formalism  include  building  minimal 
regions  graphs  [ACH'^92,  ACD‘''92],  symbolic  model-checking  [HNSY92],  and  reach¬ 
ability  graphs  [KL94].  We  also  outhne  some  related  work  on  Petri  net  reachability 
analysis  [BM83,  YTK91,  Rok93]. 

Finally,  we  give  a  brief  comparison  with  similar  work  in  the  domain  of  abstract  in¬ 
terpretations  [CC92],  and  mention  some  other  fields  where  state  based  approximation 
has  been  used. 
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1.5.1  Iterative  approximations 

The  iterative  method  we  propose  is  not  the  only  viable  iterative  scheme  for  approx¬ 
imating  the  behavior  of  a  real-time  system.  We  know  of  two  other  iterative  approx¬ 
imation  schemes  which  converge  to  an  answer  to  the  correctness  problem.  Alur  et 
al  [AIKY93]  and  Balarin  et  al  [BSV93]  describe  approximation  algorithms  which  use 
a  different  methodology  from  that  advocated  here.  Their  approach  assumes  that  not 
many  timing  constraints  in  the  system  are  necessary  for  its  correct  operation.  Based 
on  this  premise,  they  initially  attempt  to  verify  the  system  based  only  on  logical 
constraints,  i.e.  ignoring  all  timing  information.  When  a  potential  violating  trace 
is  detected,  timing  constraints  are  used  to  determine  how  the  untimed  sequence  is 
not  timing  consistent,  if  possible.  An  untimed  automaton  which  eliminates  the  false 
negative  based  on  the  effect  of  these  timing  constraints  is  then  added  into  the  sys¬ 
tem.  Alur  et  al  add  the  minimized  regions  graph  for  the  constraints,  and  Balarin  et 
al  add  subprocesses  which  monitor  difference  constraints  between  clocks.  The  algo¬ 
rithms  generate  additional  useful  information  about  the  system:  if  the  system  can  be 
successfully  verified,  we  know  that  the  only  constraints  necessary  for  correctness  are 
those  that  have  been  iteratively  added  by  the  algorithm.  Other  constraints  can  be 
ignored.  Also  Alur  et  al’s  algorithm  uses  a  clever  rounding  of  the  timing  constants 
in  order  to  keep  the  regions  graphs  for  each  approximation  small.  This  feature  also 
provides  parametric  information  about  system  correctness.  The  drawback  of  these 
algorithms  is  that  while  they  approximate  the  system  description  (by  dropping  con¬ 
straints)  they  still  require  exact  computation  of  the  regions  graph  for  each  abstracted 
system. 

By  comparison,  our  algorithm  performs  its  approximations  based  on  state  informa¬ 
tion.  It  maintains  all  timing  constraints  on  transitions,  but  then  discards  information 
from  the  states  which  are  reached.  Refinement  of  our  approximations  is  primar¬ 
ily  state  based,  rather  than  transition  based,  although  local  approximation  of  the 
time-passage  transition  is  also  performed.  Our  algorithm  is  general  enough  to  allow 
approximations  over  control  information.  It  can  also  easily  be  applied  to  systems 
other  than  real-time  systems. 

OstroAF  [Ost92]  uses  formulas  in  real-time  temporal  logic  to  describe  forward  and 
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backwards  heuristic  approximations.  Since  his  underlying  model  is  not  finite-state, 
and  his  specifications  are  more  expressive,  his  method  does  not  automatically  decide 
whether  a  property  holds  or  not.  Instead  he  shows  how  heuristics  can  be  used  to 
provide  helpful  hints  to  a  human  attempting  a  proof  of  a  property. 

1.5.2  Analyzing  timed  automata 

Alur  et  al  [ACH+92,  ACD+92]  approach  the  state-explosion  problem  of  the  regions 
graph  by  building  a  minimal  regions  graph  instead  of  the  full  graph.  Nodes  in  the 
minimal  graph  are  clustered  equivalence  classes  from  the  regions  graph.  While  this 
leads  to  far  fewer  nodes  in  the  generated  graph,  experience  shows  that  even  these 
graphs  can  easily  exceed  available  memory. 

Our  iterative  approximation  scheme  bears  resemblance  to  the  minimization  algo¬ 
rithms  of  Lee  and  Yannakakis  [LY92,  YL93].  A  closer  study  of  the  relationship  could 
lead  to  improved  algorithms.  Lee  and  Yannakakis’  algorithms  cleverly  partition  the 
reachable  states  of  an  implicitly  defined  system  into  the  minimal  number  of  bisimu¬ 
lation  equivalence  classes,  while  here  we  are  interested  only  in  reachability.  However 
their  marking  of  points  may  be  considered  an  underapproximation  of  the  reachable 
states,  and  the  potentially  reachable  blocks  an  overapproximation.  The  role  of  the 
separating  classes  of  our  approximation  algorithm  is  similar  to  the  splitting  of  blocks 
in  minimization.  We  are  only  interested  in  reachability,  not  bisimulation  equivalence 
and  so  we  need  not  partition  the  state-space  as  finely.  In  addition,  we  make  use  of 
backward  reachability  information. 

Kang  and  Lee  [KL94]  have  recently  proposed  an  alternative  approach  to  solving 
the  reachability  problem  for  timed  automata.  Rather  than  build  a  regions  graph 
(where  states  are  partitioned  according  to  the  values  of  their  timers),  they  generate 
a  reachability  graph  where  relative  delay  information  is  encoded  on  the  transitions. 
A  state  is  reachable  if  the  constraints  on  a  path  to  it  in  the  reachability  graph  are 
satisfiable. 

Symbolic  model-checking  [HNSY92,  NSY92a]  involves  iteratively  computing  the 
set  of  timed  states  of  the  system  which  satisfy  each  subformula  of  its  TCTL  specifi¬ 
cation.  In  this  sense,  the  computation  is  very  much  driven  by  the  specification,  and 
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involves  mainly  backwards  reachability.  This  computation  is  performed  symbolically 
using  the  same  representation  for  timing  information  which  we  use.  However  the  anal¬ 
ysis  is  exact.  The  model-checking  framework  is  more  expressive  than  the  reachability 
problem  we  consider. 

1.5.3  Petri  nets 

Berthomieu  and  Menasche  [BM83]  show  how  the  reachability  problem  for  safe  time 
Petri  nets  is  decidable.  Their  symbolic  representation  of  timing  information  by  dif¬ 
ference  constraints  between  timers  is  essentially  the  same  as  that  of  Dill  [Dil89]. 
Yoneda  et  al  [YTK91]  exploit  the  concurrency  of  transition  firings  to  generate  dif¬ 
ference  constraints  which  correspond  to  several  possible  firing  sequences,  rather  than 
considering  each  sequence  individually.  Although  Rokicki’s  description  language  is 
orbital  nets  [Rok93],  a  Petri-net  formalism,  his  algorithms  also  compute  reachability 
using  constraint  matrices.  He  builds  processes  whose  linear  executions  correspond  to 
multiple  interleavings  of  events.  When  there  is  a  lot  of  concurrency  in  the  system, 
this  technique  reduces  the  number  of  interleavings  he  must  consider  and  the  number 
of  constraint  matrices  needed  to  store  the  reachable  states. 

1.5.4  Abstract  interpretation 

Abstract  interpretation  is  a  well-studied  theory  of  semantic  approximation  [CC77, 
Cou90,  CC92].  The  approximations  described  in  this  paper  can  be  viewed  as  a  com¬ 
bination  of  abstraction,  operation  on  an  abstract  domain,  and  concretization.  A 
similar  idea  to  that  of  iterating  forward  and  backwards  passes,  using  overapproxi¬ 
mations  only,  to  refine  the  set  of  reachable  states  on  paths  to  violating  states  has 
been  suggested  in  an  abstract  interpretation  framework  for  type-checking  flowchart 
programs  [KU80],  and  for  analyzing  logic  programs  [CC92]. 

Halbwachs  [Hal93b]  successfully  applied  abstract  interpretation  to  synchronous 
reactive  systems,  demonstrating  its  effectiveness  in  reducing  the  computational  effort 
required  for  analysis.  His  approximations  are  taken  over  discrete  variables,  and  he 
uses  polyhedra  for  describing  the  reachable  variable  values.  He  does  not  consider 
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approximations  over  control  information.  Moreover  no  means  of  refining  approxima¬ 
tions  is  given,  so  if  a  verification  attempt  fails,  there  is  no  way  to  tell  if  it  is  due  to  a 
real  error,  or  simply  inaccurate  approximation. 

The  full  algorithm  presented  here  is  the  first  which  uses  both  underapproxima¬ 
tions  and  overapproximations,  and  for  finite-state  systems,  automatically  determines 
precisely  whether  there  are  reachable  violating  states. 

1.5.5  Other  applications  of  approximation 

Approximation  techniques  have  been  used  in  many  fields  other  than  verification.  We 
briefly  describe  the  approaches  most  closely  related  to  this  thesis. 

Approximate  methods  for  logical  inference  have  been  studied  in  artificial  intel¬ 
ligence.  Levesque  [Lev84,  Lev89]  introduced  the  idea  of  limited  inference  to  model 
an  agent’s  “shallow”  reasoning  process  based  on  simple  inference  rules.  Kautz  and 
Selman  [SK91]  advocate  knowledge  compilation  of  propositional  theories  into  Horn 
approximations.  Their  idea  is  that  an  intractable  theory  may  be  reduced  to  a  stronger 
(or  weaker)  Horn  theory,  allowing  efficient  reasoning  over  the  Horn  theories.  If  the 
Horn  theories  do  not  answer  the  logical  inference  problem,  the  method  resorts  to  the 
exact  theory.  Cadoli  [Cad92]  describes  a  method  which  does  allow  both  sound  and 
complete  approximations  in  a  framework  that  incrementally  iterates  toward  an  exact 
answer.  Roughly  speaking,  more  accurate  approximations  are  obtained  by  increasing 
the  number  of  literals  that  are  semantically  consistent.  However  his  methodology  pro¬ 
vides  no  semantically  based  means  of  dynamically  choosing  how  the  approximations 
are  to  be  refined. 

Various  state  based  approximations  are  based  on  the  idea  of  divide-and-conquer. 
Typically  a  2-dimensional  or  3-dimensional  state-space  is  partitioned  using  hierarchi¬ 
cal  data-structures  called  quad-trees  or  oct-trees.  In  the  case  of  quad-trees,  the  root 
node  represents  a  two-dimensional  space.  Each  internal  node  has  4  leaves,  represent¬ 
ing  neighboring  sets  which  partition  the  node.  The  quad-tree  is  built  dynamically, 
with  new  nodes  created  whenever  a  leaf  node  needs  to  be  analyzed  more  carefully. 
The  idea  is  to  work  efficiently  with  large  chunks  of  the  state-space  as  much  as  possi¬ 
ble,  subdividing  a  node  only  when  necessary.  This  method  has  been  used  successfully 
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in  a  number  of  different  fields,  such  as  path-planning  for  robots  [AKH88],  image 
processing  [MM88],  and  VLSI  layout  design  [HF90].  With  the  exception  of  robot 
path- planning,  the  problem  domains  admit  varying  degrees  of  accuracy  {e.g.  many 
image  resolutions  are  acceptable)  in  their  solutions  and  the  chief  concern  is  with  ob¬ 
taining  a  good  approximation  with  low  computational  expense,  as  opposed  to  using 
approximation  as  an  efiicient  means  of  finding  an  exact  answer.  In  addition,  our 
problems  involve  more  complex  state-spaces,  a  combination  of  n-dimensional  spaces 
for  timing  information,  where  n  is  the  number  of  clocks  in  the  system,  and  a  discrete 
component  for  the  control  information.  This  state-space  complexity  does  not  allow 
an  easy  and  effective  application  of  the  quad-tree  approach. 


1.6  Outline  of  thesis 

In  the  remainder  of  this  chapter,  we  provide  some  introductory  notation,  describe  the 
framework  we  use  for  verifying  safety  properties,  and  explain  how  symbolic  compu¬ 
tation  can  speed  up  verification. 

Chapter  2  describes  the  main  approximation  algorithm  for  a  generic  safety  verifi¬ 
cation  problem.  In  the  next  chapter,  we  describe  in  more  detail  the  model  of  real-time 
systems  we  consider,  and  its  safety  verification  problem.  The  next  two  chapters  out¬ 
line  how  the  approximation  algorithm  can  be  applied  to  the  verification  of  real-time 
systems,  firstly  approximating  over  only  timing  information,  then  over  the  control  in¬ 
formation  as  well’^.  Case  studies  appear  in  the  following  chapter.  Chapter  7  describes 
a  class  of  hybrid  systems  which  can  be  verified  exactly  via  a  reduction  to  real-time 
systems.  Chapter  8  discusses  a  prototype  implementation,  gives  performance  results, 
and  describes  some  of  the  lessons  we  learnt  in  building  verifiers  for  real-time  systems. 
Finally,  conclusions  can  be  found  in  chapter  9. 


^The  main  generic  approximation  algorithm  and  its  application  to  simple  timed  automata  without 
approximations  of  the  next-state  relation  appears  in  [WTD94]. 
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1 . 7  Preliminaries 

1.7.1  Transition  systems 

We  model  a  process  P  as  a  transition  system  {S,  So,  N)  where  S  is  the  underlying 
state-space  of  the  system,  C  S'  is  a  set  of  initial  states,  and  TV  C  S  x  P  is  a 
next-state  relation.  A  transition  system  describes  a  directed  graph  in  the  usual  way. 
We  sometimes  write  s  s'  and  N{s,  s')  to  mean  that  (s,  s')  €  N.  For  a  set  of  states 
A,  we  abuse  notation  and  simply  use  N{A)  to  mean  the  set  of  successors  of  A,  i.e. 
N{A)  =  {yeS\3xeA  s.t.  N{x,y)}.  An  execution  trace  of  the  system  is  any 
infinite  sequence  of  states  So>  S2,.--  such  that  Si  E  S  and  (sj,  Sj+i)  €  N  for  i  >  0. 
A  partial  trace  is  a  finite  sequence  so,Si,...  ,s„  such  that  Si  £  S  and  (st,Si+i)  £  N 
for  0<i<n  —  1.  A  trace  is  initialized  iff  its  first  state  lies  in  So-  The  transition 
system  is  non- deadlocking  iff  every  initialized  partial  trace  of  the  system  is  extensible 
to  an  infinite  execution  trace. 

A  state  s'  is  said  to  be  forward  reachable  from  5  in  P  iff  there  is  a  path  in  the 
graph  for  P  from  s  to  s'.  In  this  case,  the  state  s  is  called  an  ancestor  of  s',  and  s' 
is  a  descendant  of  s.  A  state  s  is  backwards  reachable  from  s'  iff  there  is  a  path  in  P 
from  s  to  s'.  We  define  the  set  of  states  reach{S)  to  be  the  states  which  are  forwards 
reachable  from  an  initial  state. 

An  equivalence  relation  «  over  the  states  of  the  system  is  a  bisimulation  iff  when¬ 
ever  Si  «  S2  and  si  — »  s'l  then  there  exists  a  state  s'2  such  that  S2  — ^  s'2  and  s'^  «  s'2. 

1.7.2  Safety  verification  problem 

The  problem  we  are  interested  in  solving  is  called  the  safety  verification  problem. 
Intuitively,  a  process  is  correct  iff  it  never  does  anything  “bad”. 

A  common  framework  for  verification  uses  trace  inclusion  as  its  correctness  con¬ 
dition.  The  process  P  is  modeled  by  a  formal  language  L{P)  describing  the  possible 
infinite  execution  traces  of  the  system.  Its  specification  is  also  given  as  a  language  Ls 
of  infinite  traces,  and  it  represents  a  maximal  set  of  permissible  traces.  The  process 
is  said  to  be  correct  iff  L{P)  C  Ls-  In  the  automata-theoretic  approach  [VW86], 
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correctness  can  be  decided  by  checking  for  emptiness  of  an  automaton  representing 
L{ P)  n  We  consider  a  special  case  of  this  approach,  which  we  call  the  safety 

verification  problem. 

A  (safety)  verification  problem  W  =  {S,So,N,V)  consists  of  a  process  P  = 
{S,  So,  N)  together  with  a  set  of  violating  states  V  C  S  which  indicate  that  the 
process  has  violated  some  user-specified  safety  property.  The  process  is  said  to  be 
correct  iff  no  violating  states  are  reachable  from  So- 

The  trace  inclusion  problem  can  be  expressed  in  the  form  of  a  safety  verification 
problem  when  the  process  is  non-deadlocking  and  the  specification  is  a  safety  property. 
The  specification  language  Ls  is  a  safety  property  iff  it  is  a  closed  language,  i.e. 
whenever  an  infinite  string  w  has  infinitely  many  prefixes  which  are  prefixes  of  strings 
in  Ls,  then  w  is  also  in  Ls-  Intuitively,  to  verify  a  safety  property,  we  may  simulate 
the  execution  traces  of  a  non-deadlocking  process  P  together  with  a  monitor  which 
enters  a  violation  state  precisely  when  P  does  something  undesirable  (the  partial  trace 
so  far  leaves  the  prefix  set  of  the  specification).  Because  P  is  non-deadlocking,  all 
partial  traces  are  extensible  to  infinite  traces,  and  so  this  violating  partial  trace  can 
be  extended  to  an  infinite  violating  trace.  Thus  verification  by  automata-emptiness 
reduces  to  reachability  in  this  case. 

If  the  system  is  finite-state,  it  is  theoretically  possible  to  enumerate  explicitly 
all  reachable  states  in  the  state-space,  via,  for  example,  a  depth-first  search.  This 
technique  correctly  answers  the  verification  problem.  However  in  many  cases  the 
state-space  is  simply  too  large  to  be  fully  explored,  or  it  may  even  be  infinite.  This 
thesis  proposes  a  symbolic  state-space  approximation  technique  for  reducing  the  effort 
required  to  solve  safety  verification  problems.  It  is  applicable  to  both  finite-state  and 
infinite  state-spaces,  but  termination  is  only  guaranteed  over  finite  spaces. 


1.8  Symbolic  verification 

The  use  of  various  symbolic  techniques  in  finite-state  verification  has  led  to  great 
success  in  recent  years.  The  main  feature  of  symbolic  verification  algorithms  is  their 
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ability  to  express  information  about  sets  of  states  succinctly  without  having  to  re¬ 
fer  explicitly  to  every  set  element.  Reasoning  about  a  system  is  done  by  reasoning 
about  sets  of  states  instead  of  individual  elements.  A  symbolic  algorithm  may  be 
computationally  advantageous  compared  to  an  explicit  enumeration  technique  if  the 
number  of  set  operations  required  by  the  symbolic  algorithm  is  small  by  comparison. 
The  obvious  drawback  is  that  computation  over  sets  can  be  expensive.  A  symbolic 
technique  which  performs  a  small  number  of  expensive  algorithmic  steps  may  do  more 
work  overall  than  an  explicit  technique  which  uses  a  large  number  of  fast  operations. 

However  the  potential  benefits  of  symbolic  techniques  are  numerous.  In  many 
cases  symbolic  computation  over  sets  has  been  shown  to  be  far  faster  than  explicit 
state-by-state  analysis  [Bry92,  BCM+90,  CK91,  McM92,  FKM91,  HWT92b,  PD94]. 
Symbolic  representations  of  sets  may  also  be  far  smaller  than  explicitly  storing  indi¬ 
vidual  states.  In  fact,  memory  usage  is  often  a  more  critical  resource  than  time.  In 
addition,  symbolic  representations  may  allow  infinite  state  spaces  to  be  represented. 

In  order  for  a  symbolic  technique  to  be  useful,  we  require 

•  a  verification  algorithm  which  can  be  expressed  in  terms  of  sets  of  states,  and 

•  an  efficient  representation  of  sets  of  states. 

An  efficient  symbolic  representation  of  sets  should  ideally  meet  the  following  cri¬ 
teria: 

•  the  representation  of  a  “typical”  set  encountered  by  the  algorithm  should  be 
small. 

•  there  should  be  fast  operations  on  sets  of  states  for  all  operations  required  by 
the  particular  algorithm,  e.g. 

-  computing  successors  of  a  set  of  states 

-  computing  predecessors  of  a  set  of  states 

-  computing  intersection 

-  computing  set  difference  and  complementation 


20 


CHAPTER  1.  INTRODUCTION 


-  computing  union 

-  testing  equality  and  emptiness 

All  the  above  characteristics  are  relative  compared  to  the  cost  of  performing  ex¬ 
plicit  analysis,  i.e.  storing  and  performing  computation  on  all  individual  set  elements. 
Notice  too  that  the  efficient  state  representation  need  only  be  applicable  over  those 
sets  of  states  encountered  by  the  algorithm. 

We  should  note  at  this  point  that  performing  computation  over  sets  is  only  a 
heuristic  technique.  Many  of  the  verification  problems  studied  are  PSPACE-complete, 
and  the  use  of  symbolic  techniques  will  not  overcome  the  inherent  complexity  of  the 
problem  in  the  worst-case  scenario.  However,  in  practice,  some  algorithms  whose 
complexity  is  actually  exponentially  worse  than  an  explicit  enumeration  technique 
perform  extremely  well  on  real  examples. 

In  the  symbolic  methodology,  safety  properties  for  the  verification  problem  VV  = 
{S,So,N,V)  can  be  verified  by  performing  the  following  iterative  fixpoint  computa¬ 
tion: 


Fq  =  Sq 

Fi+i  =  FiON{Fi)  (1.1) 

F  =  lim  Fi 

% 

The  specification  is  satisfied  iff  n  'P  0.  We  assume  the  limit  always  exists  and 
is  obtained  after  a  finite  number  of  iterations.  Note  that  this  assumption  is  always 
true  when  the  underlying  system  has  a  finite  state-space.  This  algorithm  requires  the 
computation  of  the  next-state  operator  over  sets,  the  union  of  sets,  tests  for  equality 
and  emptiness,  and  an  intersection  operator.  While  such  symbolic  verification  can 
often  outperform  explicit  analysis,  there  are  still  many  situations  when  even  the 
symbolic  representations  of  states  are  simply  too  large  and  complex.  Thus  this  thesis 
proposes  using  only  approximate  symbolic  analysis. 


Chapter  2 


Appr  oximat  ion 


This  thesis  is  built  upon  the  simple  observation  that  it  is  not  always  necessary  to 
consider  all  the  details  of  a  system  in  order  to  make  useful  conclusions.  In  particular, 
the  iterative  approximation  algorithm  for  real-time  systems  is  designed  to  exploit  the 
fact  that  often  not  all  timing  information  is  relevant  to  the  property  being  verified. 
The  key  idea  is  to  divide  the  state-space  into  separate  regions,  and  to  perform  state 
approximation  within  each  region.  The  algorithm  is  fully  automatic,  and  is  guaran¬ 
teed  to  terminate  correctly  whenever  the  underlying  system  has  a  finite  equivalence 
structure  {e.g.  a  finite  state-space).  Furthermore  it  makes  efficient  use  of  both  back¬ 
wards  and  forwards  reachability  information.  As  presented  here  it  is  specific  to  the 
task  of  verifying  safety  properties. 

The  algorithm  is  presented  in  a  general  framework:  while  it  was  developed  specif¬ 
ically  for  verifying  timing  properties,  it  is  applicable  to  a  wide  variety  of  systems. 
In  chapters  4  and  5,  we  show  how  it  can  be  applied  to  the  verification  of  real-time 
systems  in  particular. 


2.1  Fundamental  approximation  algorithm 

The  technique  of  approximation  can  be  used  to  extend  the  usefulness  of  symbolic 
analysis.  Here  we  investigate  the  symbolic  approximation  of  the  set  of  reachable 
states.  Such  state-based  over  approximations  for  verifying  hard  real-time  systems 


21 


22 


CHAPTER  2.  APPROXIMATION 


were  first  investigated  by  N.  Halbwachs  [Hal93b],  and  this  work  is  inspired  by  his 
success. 

The  basic  idea  is  to  replace  the  exact  “union”  on  sets  of  states  in  equation  1.1 
with  either  of 

•  an  (overapproximating)  “join”  operator  U,  satisfying  the  soundness  condition: 

{oiaIlA,B:AUBCAUB  (OA_l) 


or 

•  an  (underapproximating)  “plus”  operator  ^  satisfying  the  soundness  condi¬ 
tion: 

{0TallA,B:ACA^BCAUB  (UA_1) 

and  the  nonemptiness  condition: 

for  all  A  :  A  7^  0  implies  0  ^  A  7^  0  (UA_2) 

Notice  that  the  second  axiom  for  an  underapproximating  operator  is  asymmetric, 
and  that  neither  operator  need  be  commutative  nor  associative.  The  set  AB>B  is 
referred  to  as  the  expansion  of  A  with  B.  Observe  that  it  is  not  necessarily  larger 
than  A. 

We  thus  have  two  approximation  algorithms,  one  for  overapproximating  (fig¬ 
ure  2.1)  and  one  for  underapproximating  (figure  2.2),  each  obtained  by  performing 
the  fixpoint  computation  with  the  appropriate  approximating  operator.  Both  take  as 
input  a  safety  verification  problem,  and  return  the  boolean  variable  verified.correct. 
The  function  disjoint  ()  returns  the  boolean  value  for  whether  its  operands  are  disjoint 
or  not. 

2.1.1  Correctness 

When  computing  the  fixpoint  using  the  overapproximating  operator  U,  it  is  clear  all 
the  truly  reachable  states  of  the  system  are  contained  in  the  approximating  set  F.  It 
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FundamentaLOverapprox(S,So,N,V) 

Last-Over  :=  So; 

Over  :=  So; 
converged  :=  FALSE; 
while  (not  converged)  do 
Next-States  :=  N(Last_Over); 
Last-Over  :=  Over; 

Over  :=  Over  U  Next-States; 
converged  :=  (Last-Over  =  Over); 
endwhile 

verified-correct  :=  disjoint(Over,V); 


Figure  2.1:  Fundamental  overapproximation 


Fundamental-Underapprox(S,So,N,V) 

Last-Under  :=  So; 

Under  :=  So; 
converged  :=  FALSE; 
while  (not  converged)  do 

Next -States  :=  N(  Last -Under); 
Last-Under  :=  Under; 

Under  :=  Under  ^  Next-States; 
converged  :=  (Last-Under  =  Under); 
endwhile 

verified-Correct  :=  disjoint(Under,V); 


Figure  2.2:  Fundamental  underapproximation 

is  also  easy  to  see  that  using  the  underapproximating  operator  ^  gives  a  set  which 
is  contained  in  the  set  of  truly  reachable  states. 

Proposition  2.1  Given  a  verification  problem  {S,Sq,N,V),  if  the  fundamental  over¬ 
approximation  algorithm  terminates,  then 

•  the  resulting  overapproximation  Over  contains  reach{S,So,N). 


24 


CHAPTER  2.  APPROXIMATION 


•  if  the  output  verified-correct  has  value  true,  then  the  system  is  correct.  □ 

Proposition  2.2  Given  a  verification  problem  {S,S(i,N,V),  if  the  fundamental  un¬ 
derapproximation  algorithm  terminates,  then 

•  the  resulting  underapproximation  Under  is  contained  in  reach{S,So,N). 

•  if  the  output  verified-correct  has  value  false,  then  the  system  is  not  correct.  □ 

2.1.2  Advantages 

The  computational  benefit  of  using  approximation  depends  critically  on  the  approx¬ 
imating  operators  and  the  sets  they  act  on.  Advantages  accrue  when  the  approxi¬ 
mating  operations  are  much  faster  than  exact  union,  and  there  are  fewer  iterations 
overall.  One  way  to  exploit  this  feature  is  to  introduce  the  notion  of  approximat¬ 
ing  sets,  a  subdomain  of  the  power  set  of  states  over  which  the  symbolic  next-state 
relation,  intersection,  and  the  approximating  operators  are  closed.  In  many  cases,  ap¬ 
proximating  sets  can  be  chosen  to  ensure  that  applying  the  approximating  operators 
is  computationally  inexpensive.  Using  approximating  sets  with  compact  represen¬ 
tations  can  lead  to  great  reductions  in  the  space  required  to  perform  the  fixpoint 
computation. 

A  further  advantage  may  arise  when  the  domain  of  approximating  sets  has  only 
small  chains  of  increasing  sets.  In  this  case,  computing  the  fixpoint  iterations  may 
converge  faster,  and  in  any  event,  there  is  a  smaller  upper  bound  on  the  number  of 
iterations  required. 

2.1.3  Disadvantages 

There  is  a  price  paid  for  only  approximating  as  opposed  to  using  exact  computa¬ 
tion.  The  approximation  may  not  correctly  determine  whether  the  system  meets  its 
specification.  Furthermore  it  is  possible  that  computing  the  approximation  is  more 
work  than  finding  the  set  of  exactly  reachable  states. 

Before  explaining  the  potential  disadvantages  of  approximation,  we  first  define 
some  terms.  A  false  negative  is  said  to  occur  when  a  method  reports  the  system  is 
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Overapproximation 

U  nderapproximation 

Correctness 

Possible  false  negatives 

Possible  false  positives 

Computation 

May  search  many  unreachable 
states 

May  iterate  more  times  than 
exact  computation 

Figure  2.3:  Potential  disadvantages  of  approximation 

not  correct,  when  in  fact  it  is.  A  false  positive  occurs  when  a  method  reports  the 
system  is  correct,  when  in  fact  it  is  not. 

When  the  overapproximation  incorrectly  includes  violating  states  which  are  not 
truly  reachable,  a  false  negative  may  arise.  In  addition,  a  single  overapproximation 
does  not  provide  enough  information  to  confirm  any  true  negative,  i.e.  to  say  for  sure 
that  a  system  really  does  violate  its  specification.  Prom  a  computational  point  of  view, 
the  overapproximation  may  waste  effort  searching  through  parts  of  the  state-space 
which  are  not  really  reachable. 

When  an  underapproximation  fails  to  include  any  of  the  violating  states  which  are 
truly  reachable,  a  false  positive  may  arise.  Analogous  to  the  case  of  overapproxima¬ 
tion,  there  is  no  means  of  confirming  any  positive  results  when  the  system  is  correct. 
A  potential  computational  disadvantage  is  that  finding  the  underapproximating  fix- 
point  may  involve  more  iterations  that  exact  computation,  since  not  necessarily  all 
successor  states  are  added  at  each  iterative  step.  These  disadvantages  are  summarized 
in  figure  2.3. 

Individually  computing  both  an  underapproximation  and  an  overapproximation 
solves  the  problem  of  the  lack  of  confirmed  negatives  in  overapproximating  and  con¬ 
firmed  positives  in  underapproximating,  but  it  may  still  yield  inconclusive  answers 
when  the  two  approximations  report  different  results. 


2.1.4  Example 

As  a  simple  example  let  us  overapproximate  the  reachable  states  of  the  following 
system. 
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Example  2.3  [Basic  overapproximation]  Process  P’s  state-space  consists  of  all 
pairs  of  integer  values  for  the  variables  x  and  y.  Initially,  x=y=0,  and  there  is  one 
violating  state:  x=6,y=0.  The  next-state  relation  is  determined  from  the  program: 

while  (x<5  &  y<5)  do 
<x,y>  :=  <x+l,y+l>; 
while  TRUE  do 

<x,y>  :=  <x,y>; 

The  set  of  truly  reachable  states  is  {(i,  i)  |  i  G  [0, 5]},  and  so  the  system  is  correct. 
Following  Cousot’s  interval  analysis  [Cou78],  we  choose  as  approximating  sets  the  set 
o/ rectangles,  i.e.  sets  of  points  of  the  form: 

"{(^5  J/)  .  lx  —  ^  ly  ^  y  ^ 

where  all  bounds  are  integers  or  infinity,  denoted  oo.  Such  a  set  will  be  denoted 
[4,«x]  X  [ly,iJ-y].  The  join  operator  acting  on  A  and  B  returns  the  smallest  rectangle 
containing  both  A  and  B.  Computing  the  fixpoint  iterations  gives 

Fi  =  [0,e]  X  [0,z]  /or  i  =  0..5 

F  =  [0,5]  X  [0,5] 

The  overapproximation  F  does  not  include  the  violating  state  so  the  system  is 
verified.  Suppose,  however,  the  violating  state  were  (2,0).  By  the  second  iteration  the 
overapproximation  would  include  (2, 0)  and  a  false  negative  would  be  reported.  □ 


2.2  Simple  variations 

Before  explaining  the  full  iterated  algorithm  which  determines  exactly  whether  the 
system  is  correct,  we  first  introduce  some  basic  variations  on  the  simple  approximation 
scheme  in  the  last  section.  These  variations  will  be  combined  in  the  full  algorithm 
appearing  in  the  next  section. 
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2.2.1  Backwards  reachability 

While  the  previously  described  approximations  proceeded  forward  through  the  state- 
space,  it  is  also  possible  to  approximate  while  performing  backwards  traversals.  The 
system  is  correct  iff  the  initial  states  are  not  backwards  reachable  from  the  violating 
states.  Thus  backwards  graph  traversal  gives  rise  to  the  following  verification  scheme: 

Bo  =  V 

Si+i  =  (2.4) 

B  =  lim  Bi 

i 

The  system  is  correct  iff  S  D  5o  7^  0.  Naturally,  we  can  replace  the  exact  union 
operator  in  equation  2.4  with  the  U  and  >  operators  to  approximate  the  backwards 
reachable  states. 

In  the  remainder  of  this  thesis  we  assume  backwards  approximations  refer  to 
approximations  of  the  states  backwards  reachable  from  the  violating  states. 

2.2.2  Iterated  overapproximations 

Information  from  a  forward  overapproximation  can  be  used  to  refine  the  computa¬ 
tion  of  a  backwards  approximation,  and  vice  versa,  leading  to  a  scheme  of  iteratively 
refined  overapproximations.  Observe  that  every  system  state  lying  on  a  violating 
execution  trace  satisfies  two  properties;  it  is  both  forward  reachable  from  the  initial 
states  and  backwards  reachable  from  the  violating  states.  In  analyzing  the  reachable 
state-space,  we  need  only  consider  states  which  potentially  fulfill  both  these  proper¬ 
ties.  Thus,  in  a  forward  traversal,  we  may  disregard  states  which  are  not  backwards 
reachable  from  the  violating  states. 

Figure  2.4  outlines  an  iterative  scheme  of  alternately  computing  forward  and  back¬ 
wards  overapproximations,  where  the  last  computed  overapproximation  in  the  oppo¬ 
site  direction  is  used  to  narrow  the  scope  of  the  states  considered  during  the  current 
approximation.  Overapproximations  are  repeatedly  computed  until  either  the  sys¬ 
tem  is  verified  correct,  or  the  forward  and  backwards  approximations  are  the  same. 
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in  which  case  a  (potentially  false)  negative  is  reported.  The  function  OppositeJDir 
maps  FORWARDS  to  BACKWARDS,  and  vice  versa.  Given  a  set  of  states  OverRev 
representing  a  superset  of  the  reachable  states  in  the  reverse  direction,  the  function 
Approx-Within  limits  the  next  overapproximation  so  it  never  goes  outside  OverRev. 
Thus  for  a  set  of  initial  states  Starts  and  a  known  backwards  overapproximation 
B-Over,  the  function  call  Approx_Within(R_Ot;er,5tart,iV,FORWARDS)  returns  an 
overapproximation  obtained  by  computing  the  following  limit; 

Fq  =  Start  n  B-Over 
FiJ^i  =  {Fi  U  N{Fi))  n  B-Over 

F  =  lim  Fi 

i 

The  function  Approx. Within  works  similarly  when  computing  a  backwards  overap¬ 
proximation  relative  to  the  previous  forwards  overapproximation.  The  current  (resp. 
last)  overapproximations  are  stored  in  the  array  Over  (resp.  Last-Over),  and  the  ar¬ 
rays  Start  and  End  indicate  the  sets  of  starting  and  ending  states  for  violating  traces 
viewed  in  the  indexed  direction. 

2.2.3  Separating  classes 

We  now  describe  a  mechanism  which  enables  more  accurate  approximations.  The 
false  negative  of  example  2.3  could  be  explained  as  due  to  poor  approximation:  the 
approximation  was  too  “loose”.  A  good  goal  would  be  to  use  more  accurate  approxi¬ 
mations.  One  way  to  do  this  would  be  to  have  the  join  operator  result  in  the  smallest 
enclosing  convex  polyhedron  rather  than  a  rectangle,  i.e.  improve  the  accuracy  of  the 
approximation  by  using  more  expressive  approximating  sets.  However,  we  are  really 
interested  in  a  methodology  which  will  allow  approximations  to  become  successively 
more  accurate  as  necessary.  The  method  we  use  is  based  on  the  simple  idea  of  lo¬ 
calizing  the  approximations:  we  use  state-space  partitioning  to  limit  the  application 
of  the  approximating  operators  when  it  is  suspected  that  joining  states  will  result  in 
too  crude  an  approximation.  The  mechanism  divides  the  state-space  into  different 
separating  classes.  An  approximation  is  then  a  set  of  sets,  each  of  which  lies  entirely 
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Iterat  ed-0  verapprox 

Start  [FORWARDS]  :=  End  [BACKWARDS]  :  =  So; 

Start  [BACKWARDS]  :=  End[FORWARDS]  :=  V; 
Last_Over[BACKWARDS]  :=  S; 

Last_Over[FORWARDS]  :=  0; 
dim  :=  FORWARDS; 
verified-correct  ;=  FALSE; 
iterations-done  :=  FALSE; 

while  (not  verified-correct  and  not  iterations_done)  do 
Over  [dim]  := 

Approx_Within(Last_Over[Opposite-Dir(dirn)]  ,Start[dirn]  ,N,dirn); 
iterations-done  :=  (Over[dirn]  =  Last_Over[dirn]); 
verified-Correct  :=  Disjoint  (Over  [dim],  End  [dim]); 

Last-Over[dirn]  :=  Over[dirn]; 
dim  :=  Opposite_Dir(dim); 
endwhile 


Figure  2.4:  Iterated  overapproximations 

within  a  separating  class.  The  approximation  operators  are  only  applied  within  any 
given  class.  In  computing  an  approximation,  we  apply  the  next-state  relation  to  each 
set  of  states  in  the  current  approximation,  and  intersect  the  result  with  each  separat¬ 
ing  class.  The  approximating  operators  are  then  applied  only  across  sets  from  within 
the  same  separating  class.  In  effect,  the  approximation  is  always  localized  within  any 
given  separating  class^. 


Approximating  structures 

We  delay  until  the  next  section  a  detailed  explanation  of  how  to  find  a  good  set  of 
separating  classes  based  on  avoiding  joins  which  might  lead  to  false  negatives  and  false 
positives.  For  now,  we  concentrate  on  how  separating  classes  enable  more  accurate 
approximations.  Formally,  we  define  a  separating  structure  C  for  a  set  of  states  D 

^The  basic  approximation  algorithm  may  be  viewed  as  having  all  states  lie  in  one  large  separating 
class,  S. 
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to  be  a  tuple  of  distinct  (but  not  necessarily  disjoint)  sets  {Ci)i^i  which  cover  £),  i.e. 

Uig/Cj  =  D.  We  refer  to  the  components  of  a  tuple  as  its  elements.  The  elements 
of  a  separating  structure  are  called  separating  classes.  An  approximating  structure 
A  with  respect  to  C  is  a  tuple  of  sets  of  sets  where  each  Aij  C  C*. 

Reference  to  C  will  be  omitted  when  the  meaning  is  clear.  We  say  that  the  set  A 
is  in  (or  appears  in)  ^  iff  A  =  Aij  for  some  i  and  j.  The  i-th  component  of  A  is 
the  set  of  sets  and  can  be  thought  of  as  a  set  of  approximating  sets  for 

the  reachable  states  lying  within  Cj.  We  say  the  base  elements  of  an  approximating 
structure  are  those  states  found  in  any  of  the  individual  sets  of  the  structure,  i.e.  s 
is  a  base  element  of  A  iff  s  G  For  any  approximating  structure  A,  let 

UA  denote  its  base  elements.  A  state  appears  in  an  approximating  structure  A  iff  it 
is  one  of  its  base  elements. 

Operations  on  approximating  structures 

Instead  of  using  a  single  approximating  set  as  an  estimate  for  the  set  of  reachable 
states,  we  now  use  approximating  structures  respecting  C.  Applying  the  next-state 
relation  N  to  an  approximating  structure  A  =  {{Aij}j^j^)iei  yields  the  structure 
Nc{A)  whose  i-th  component  is  the  set  of  sets 

{N{Ai>j)  r\Ci\i'  ^  I  and  j  G  Ji'} 

The  join  operator  is  defined  relative  to  a  separating  structure  C  =  {Ci)ia-  Its 
operands  are  approximating  structures  respecting  C.  Intuitively  the  join  is  done  in¬ 
dependently  in  each  component,  where  each  approximating  set  is  the  result  of  joining 
sets  in  its  operands.  A  set  of  sets  {Di}i^l  is  said  to  be  a  join- combination  of  a  set  of 
sets  {Aj}jgj  iff 

•  for  each  I  €  L,  Di  =  Ui=i..m  Ai  where  each  index  ji  is  in  J,  and, 

•  for  each  j  £  J  there  exists  aiRl  €.  L  such  that  Aj  C  Di. 

The  set  of  sets  is  said  to  be  a  join-combination  of  two  sets  of  sets  {Aj}j^j 
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and  {Bk}keK  iff  it  is  a  join-combination  of  their  union  {Aj}j^j  U  {Bk}keK-  An  ap¬ 
proximating  structure  is  a  join  of  two  approximating  structures  A  =  {{Aij}j^j.)i^i 
and  B  =  {{Bik}k€Ki)i£i  iff  its  i-th  component  is  a  join-combination  of  Ai  and  B,.  For 
simplicity,  we  may  write  AuB  to  refer  to  any  join  of  A  and  B,  rather  than  introducing 
notation  for  relations  over  triples  {A,B,C)  of  approximating  structures  to  indicate 
that  C  is  a  join  of  .4  and  B. 

We  can  also  obtain  underapproximations  in  a  similar  way.  We  first  extend  the  ^ 
operator  to  sets  of  states  and  then  to  approximating  structures.  Intuitively,  expanding 
an  approximating  structure  A  with  B  is  the  result  of  expanding  each  component  Ai 
with  Bi.  The  expansion  over  components  consists  of  taking  sets  in  Bi  and  adding 
them  via  the  ^  operator  to  the  sets  in  Ai.  The  set  of  sets  is  said  to  be  an 

expansion  of  the  set  of  sets  {Aj}j^j  with  {Bk}keK  iff  it  is  the  result  of  taking  each 
set  Aj  and  expanding  it  with  some  number  of  sets  Bj^i,  Bj^2,  ■  Bj,Kj  ia  such  a  way 
that  each  set  Bk  is  added  to  some  Aj,  i.e.  for  every  k  E  K  there  are  j  and  I  such  that 
Bk  =  Bj^i.  Formally,  for  every  I  €  L  there  is  an  index  ji  €  J  selecting  a  set  Aj^,  and  a 
sequence  of  indices  ki^i,  ki^2,  •  •  • » h,mi  €  K  selecting  some  sets  in  {Bj}j^j  to  be  added 
to  Aj,  such  that 

•  every  Di  results  from  expansions  to  Aj,  by  the  sets  Bk,  ^ , . . . ,  Bk,  „^^ ,  i.e.  for  every 

I,  =  ({Aj,  >  Bk,_, )  ^  Bfc,  3 )  •  •  -  ^  Bfc,  ),  and, 

•  every  set  Aj  is  preserved,  i.e.  for  every  Aj  there  is  a  set  Di  such  that  Aj  C  Di, 
and, 

•  every  set  Bk  is  added,  i.e.  for  every  k  e  K,  there  is  some  index  ki^m  equal  to  k. 

An  approximating  structure  is  an  expansion  of  the  approximating  structure  A 
with  B  iff  its  i-th  component  is  an  expansion  of  Ai  with  Bi.  Again  we  avoid  unwieldy 
notation  involving  relations  and  informally  write  .4  ^  5  to  indicate  some  expansion 
of  A  with  B. 

Finally  we  define  the  separation  of  a  set  with  respect  to  a  separating  structure. 
Given  a  set  of  states  A  and  an  approximating  structure  C,  A  J.  C  is  the  approximating 
structure  whose  i-th  component  is  A  n  C,.  The  algorithms  for  computing  overapprox¬ 
imations  and  underapproximations  using  separating  structures  appear  in  figures  2.5 
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Separating-Classes-0  verapproximation(  ( S,So,N,V),C) 

Last -Over  :=  5o  i  C; 

Over  :=  Last -Over; 
converged  :=  FALSE; 
while  (not  converged)  do 
Next-States  :=  iVc(Last-Over); 

Last-Over  :=  Over; 

/*  the  join  operator  returns  a  legal  join  */ 

Over  :=  Over  U  Next-States; 
converged  :=  (Last-Over  =  Over); 
endwhile 

verified-correct  :=  disjoint(UOver,V); 


Figure  2.5:  Separating  classes  overapproximation 


and  2.6. 

Proposition  2.4  If  the  overapproximating  algorithm  using  separating  classes  (fig¬ 
ure  2.5)  terminates,  then 

•  UOver  D  reach{S). 

•  if  the  boolean  output  verified-correct  has  value  true,  then  the  system  is  correct. 
□ 

Proposition  2.5  If  the  underapproximating  algorithm  using  separating  classes  (fig¬ 
ure  2.6)  terminates,  then 

•  OUnderC  reach{S). 

•  if  the  boolean  output  verified-correct  has  value  false,  then  the  system  is  not 

correct.  □ 

Example  2.6  [Separating  Classes:  Overapproximation]  Consider  again  the  system 
in  example  2.3,  with  violating  state  (2, 0).  In  an  effort  to  show  that  the  reachable  states 
do  not  include  (2, 0),  we  use  approximating  sets  to  partition  the  state  space  so  that  the 
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Separating-Classes-U  nderapproximation  ((S,So,N,V),C) 

Last-Under  :=  So  J.  C; 

Under  :=  Last-Under; 
converged  :=  FALSE; 
while  (not  converged)  do 

Next^tates  :=  Ac  (Last -Under); 

Last-Under  :=  Under; 

/*  the  addition  operator  returns  a  legal  expansion  */ 
Under  :=  Under  ^  Next-states; 
converged  :=  (Last-Under  =  Under); 
endwhile 

verified-correct  :=  disjoint(UUnder,V); 


Figure  2.6:  Separating  classes  underapproximation 
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Figure  2.7:  Separating  classes  example 

violating  state  is  separate  from  the  rest.  Thus  we  may  choose  as  a  separating  structure 
C  =  {Ci  =  [0, 1]  X  [0,  oo],  C2  =  [2, 00]  X  [1, 00],  ^3  =  [2, 2]  x  [0, 0], ^4  =  [3, 00]  x  [0, 0]). 
We  adopt  a  simple  policy  for  choosing  a  join  of  a  set  of  sets:  {A}  U  {5}  =  {A  U 
Then  we  iterate  from  Aq  =  ({[0, 0]  x  [0, 0]},  {},  {},  {}),  giving  first  Ai  =  ({[0, 1]  x 

^This  policy  ensures  every  component  of  every  approximating  structure  generated  is  either  a 
single  set  or  the  empty  set. 
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[0, 1]},  {},  {},  {}).  To  compute  A2  we  first  find 

T  =  Nc{Ai) 

=  N{Ai)iC 
=  ([l,2]x[l,2])iC 
=  ([l,l]x[l,2],[2,2]x[l,2],{},{}) 


giving 


A2 


Az 

A^ 

Az 

A  =  ]imAi 


TuAi 

({([1,1]  X  ll,2])U(|0,ll  X  |0,1])},{(|2,21  X  11. 2])},  {},{}) 
{{[0, 1]  X  [0.2|},{|2. 2]  X  [1,21},  {),{}> 
<{[0,llx[0,3|}.{(2.3]x[l,3I},{},{» 
({10,l|x|0.4|},{[2,4]x[l,41}.{},{}> 
({[0,llx|0,6I}.{[2,5lx[1.51}.{},{}> 

Az 


The  base  elements  of  the  approximating  structure  A  do  not  include  the  violating 
state,  and  the  system  is  correctly  verified.  □ 

Note  that  the  iterated  approximation  method  mentioned  in  subsection  2.2.2  is  a 
special  application  of  using  the  result  Over[dirn]  of  each  previous  forward  (or  back¬ 
wards)  pass  in  a  separating  structure  (Over[dirn])  for  the  next  pass  in  the  opposite 
direction. 

So  far  the  discussion  has  been  about  using  separating  classes  for  forwards  ap¬ 
proximations,  but  the  algorithm  applies  perfectly  well  to  backwards  approximation 
as  well. 


2.3  Full  approximation  algorithm 

The  full  approximation  algorithm  iterates  with  increasingly  accurate  underap¬ 
proximations  and  overapproximations,  both  in  the  forward  and  backwards  directions. 
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Figure  2.8:  Conditions  leading  to  false  negatives 

Approximations  are  computed  with  respect  to  successively  finer  separating  structures 
which  are  dynamically  generated  by  the  algorithm.  Whenever  the  algorithm  termi¬ 
nates,  it  gives  a  true  answer  to  the  verification  problem,  i.e.  there  is  no  possibility 
of  termination  with  false  negatives  or  false  positives.  If  the  system’s  state-space  is 
finite,  the  algorithm  is  guaranteed  to  terminate,  and  thus  always  determines  whether 
the  specification  is  satisfied  or  not. 

Iterative  convergence 

Many  iterative  approximation  schemes  can  be  designed  with  this  kind  of  progress 
property,  namely  that  successive  approximations  are  more  accurate,  and  termination 
is  guaranteed  over  finite  state-spaces.  For  example,  we  need  only  ensure  that  the  fi¬ 
nal  iteration  is  the  full  exact  computation  gained  from  the  separating  structure  where 
every  state  forms  a  class  of  its  own.  We  can  design  iterative  schemes  where  the  approx¬ 
imation  is  performed  with  a  fixed  sequence  of  successively  finer  separating  structures. 
For  instance,  an  algorithm  which  uses  a  given  partitioning  of  a  (finite)  state-space  into 
at  least  2*  disjoint  separating  classes  at  the  i-th  traversal  will  guarantee  a  confirmed 
answer  to  the  verification  problem  after  logarithmically  many  iterations.  While  this 
approach  may  be  successful  in  some  cases,  it  is  generally  difficult  to  choose  in  advance 
which  separating  structures  should  be  used  in  order  to  achieve  efficient  verification. 
We  propose  instead  an  iterative  approximation  scheme  which  automatically  discovers 
where  approximations  can  be  taken  more  freely,  and  where  the  analysis  needs  to  be 
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more  exact.  The  user  provides  only  an  initial  separating  structure,  and  then  the  al¬ 
gorithm  uses  information  from  previous  approximations  to  generate  suitable  refined 
separating  structures.  The  scheme  is  therefore  dynamically  based,  and  adapts  itself 
to  the  particular  problem  being  solved,  rather  than  being  statically  determined. 

Conditional  joining 

The  refinement  procedure  is  based  on  some  simple  observations  about  how  false  neg¬ 
atives  and  false  positives  arise.  It  uses  a  notion  of  conditional  joining  to  determine 
which  parts  of  the  state-space  should  be  kept  separate,  and  thus  placed  in  different 
separating  classes.  The  additional  conditions  we  describe  for  joining  sets  are  easily 
detectable  and  lead  to  increased  accuracy  of  the  approximations  only  in  those  parts  of 
the  state-space  which  are  likely  to  lead  to  false  positives  or  negatives.  Suppose  a  false 
negative  is  obtained  while  performing  a  forward  overapproximation  of  the  reachable 
states.  It  must  be  a  consequence  of  some  join  in  the  midst  of  computing  the  approx¬ 
imation.  Figure  2.8  shows  how  false  negatives  occur:  at  some  point  a  join  caused  an 
ancestor  state  s'  of  s  to  be  included  in  the  approximation  although  s'  and  s  are  not 
truly  reachable^.  If  all  such  joins  could  be  avoided,  there  would  be  no  false  negatives 
in  the  approximation.  However,  it  is  not  easy  to  use  this  criterion  to  decide  whether 
to  join  two  sets  or  not,  since  we  cannot  predict  whether  a  state  s'  is  a  predecessor 
of  any  violating  states.  There  is  a  clear  trade-off  in  the  amount  of  effort  spent  in 
determining  whether  s'  is  a  predecessor  of  a  violating  state  and  a  possibly  inaccurate 
approximation  as  a  result  of  unwisely  joining  sets  A  and  D. 

Quick  decision  strategy 

The  strategy  we  propose  is  to  use  simple  and  fast  checks  on  whether  to  join  sets.  Any 
mistakes  which  are  made  when  sets  are  joined  when  they  should  not  have  been  can  be 
detected  and  corrected  in  a  later  approximation.  The  advantage  of  this  approach  is 
that  sets  are  joined  unless  there  is  very  strong  reason  not  to,  and  so  the  approximating 
structures  are  kept  small,  and  the  computations  of  each  approximation  are  fast.  For 


^It  may  be  that  s  =  s'. 
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Figure  2.9:  Conditions  leading  to  false  positives 

false  negatives  then,  we  concentrate  on  cases  where  it  is  clearly  foolish  to  join  sets.  If 
the  state  s'  lies  in  the  previous  backwards  underapproximation,  then  joining  A  and  D 
in  figure  2.8  will  lead  to  a  negative  being  introduced  by  this  approximating  step,  since 
s'  definitely  has  a  path  to  a  violating  state.  However,  there  is  no  particular  reason 
to  believe  that  s'  is  really  reachable,  since  it  is  only  included  in  the  approximation 
because  of  a  join  operation  and  we  have  not  constructed  a  path  to  it.  Thus  there 
is  every  chance  that  this  negative  will  be  a  false  negative.  This  discussion  suggests 
avoiding  all  joins  where  the  operands  A  and  D  contain  no  states  in  the  previous 
reverse  direction’s  under  approximation,  but  their  join  does. 

There  is  a  similar  condition  based  on  the  occurrence  of  false  positives.  It  is  also 
simple  to  detect,  and  results  in  refining  the  approximations  in  areas  of  the  state-space 
where  false  positives  are  likely  to  originate.  Suppose  we  are  computing  a  forwards 
underapproximation.  Figure  2.9  shows  how  the  propagation  of  the  reachable  states 
is  stalled  at  s,  and  its  successor  s'  is  omitted  from  the  under  approximation.  Clearly 
s'  is  truly  reachable.  Let  us  first  examine  the  conditions  leading  to  s'  not  appearing 
in  the  underapproximation.  Since  its  predecessor  s  is  in  the  underapproximation, 
there  is  some  stage  of  the  underapproximation  algorithm  when  all  the  successors  of  s, 
including  s',  are  considered  for  inclusion  in  the  underapproximation.  If  at  this  point, 
the  underapproximation  does  not  include  any  states  in  the  same  separating  class  as 
s',  then  some  states  would  immediately  be  added  to  the  underapproximation,  by  the 
nonemptiness  for  the  underapproximating  operator  (i.e.  0^.4  7^  0  for  nonempty  sets 
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Figure  2.10:  Violating  conditions  for  permissible  joins 

A).  Because  we  know  s'  is  not  in  the  underapproximation,  it  follows  that  the  under- 
approximation  must  include  some  other  states  in  s"s  separating  class  C.  One  way  to 
increase  the  likelihood  s'  appears  in  the  next  underapproximation  is  to  use  separating 
classes  to  separate  it  from  all  states  in  the  underapproximation  which  lie  in  C.  These 
separating  classes  are  created  dynamically  by  the  next  backwards  overapproximation 
which  will  avoid  joining  sets  within  C  if  one  of  its  operands  contains  states  in  Fij- 
while  the  other  does  not. 

2.3.1  Conditional  joins 

The  usual  algorithm  using  separating  classes  would  always  join  two  sets  A  and  D 
whenever  they  lie  within  the  same  separating  class.  Following  the  discussion  above,  we 
now  provide  more  restrictive  conditions  under  which  such  joins  should  be  performed. 
The  conditions  given  below  apply  when  performing  forward  reachability.  Symmetric 
conditions  apply  for  backwards  reachability  and  are  not  explicitly  stated  here.  Let 
A  and  D  be  two  sets  lying  within  the  same  separating  class.  Let  Bu  be  the  set  of 
states  in  the  previous  backwards  underapproximation  which  are  contained  in  that 
separating  class.  A  join  between  A  and  D  is  said  to  be  permissible  unless  either  of 
the  following  two  conditions  hold: 


1.  both  A  and  D  are  disjoint  from  Bu  but  A  U  D  is  not,  or 
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2.  D  is  disjoint  from  Bu  and  A  is  not,  or  A  is  disjoint  from  Bu  and  D  is  not. 


Condition  1  corresponds  to  a  situation  leading  to  a  false  negative,  and  Condition  2 
to  possible  false  positives. 

We  say  that  when  sets  are  joined  in  a  manner  that  respects  the  above  conditions, 
the  result  is  a  Bu -consistent  join,  which  we  now  formally  define.  The  auxiliary 
function  overlap()  returns  whether  its  two  parameters  have  non-empty  intersection, 
i.e. 


overlap{X,Y) 


TRUE  Xr\Y^0 
FALSE  otherwise 


Given  a  set  X,  we  say  that  a  set  of  sets  is  an  X -consistent  join  of  a  set  of 

sets  {Aj}j^j  iff 


•  for  each  I  e  L,  Di  =  Ui=i..TO  -^ji  where  each  ji  €  J  and  for  each  i  =  l..m, 
overlap{Aj^,  X)  =  overlap{Di,X). 


•  for  each  j  E  J  there  exists  z.vlI  E  L  such  that  Aj  C  Di. 


Corollary  2.7  If  the  separating  classes  overapproximation  algorithm  of  figure  2.5  is 
run  under  the  restriction  that  all  joins  are  X -consistent  for  some  set  X,  then 

♦  \JOver'D  reach{S). 

•  if  the  boolean  output  verified-correct  has  value  true,  then  the  system  is  correct. 


Proof:  Obvious  from  proposition  2.4,  since  all  X-consistent  joins  die  joins.  □ 


2.3.2  Refinement  of  approximations 

As  explained  informally  above,  the  approximations  are  successively  more  accurate 
because  they  are  computed  using  finer  and  finer  separating  structures.  The  sepa¬ 
rating  structures  are  derived  from  the  most  recently  computed  overapproximation. 
Their  refinement  is  the  result  of  using  only  conditional  joins.  In  other  words,  if  an 
overapproximation  contains  the  class  C  the  next  overapproximation  may  have  created 
approximating  sets  Ci,  C2,  Ck,  all  within  C  through  using  only  conditional  joins. 
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The  next  approximation  will  use  each  of  these  sets  Ci  as  separating  classes  instead 
of  C.  The  result  is  a  more  accurate  approximation,  because  some  joins  which  would 
have  taken  place  within  the  class  C  will  no  longer  do  so  since  their  operands  now  lie 
in  diiferent  classes. 

Before  an  approximating  structure  can  be  used  as  a  separating  structure,  it 
must  first  be  flattened,  since  it  is  a  tuple  of  sets  of  sets,  rather  than  a  tuple  of 
sets.  We  define  the  Flatten()  function  over  approximating  structures  A  such  that 
Flatten({{^y}jcj,)i€/)  =  {Ak)keK  where  Ai,  =  ie.  every  approximating 

set  in  is  a  component  of  Flatten(^). 

2.3.3  Sketch  of  algorithm 

The  full  algorithm  is  sketched  below.  Forward  overapproximations  and  underap¬ 
proximations,  and  backwards  overapproximations  and  underapproximations,  are  al¬ 
ternately  computed.  Each  time  an  approximation  is  computed,  information  from 
the  latest  available  approximations  in  the  opposite  direction  is  used.  The  opposite 
direction’s  overapproximation  gives  an  upper  bound  on  the  states  which  need  to  be 
considered,  see  section  2.2.2.  In  addition  this  overapproximation  also  serves  as  a 
separating  structure  for  the  current  overapproximation.  The  opposite  direction’s  un¬ 
derapproximation  is  used  to  determine  which  joins  are  permissible,  see  section  2.3.1. 
Overapproximations  are  computed  as  described  above,  with  only  permissible  joins. 
Thus  an  overapproximation  may  have  several  unjoined  sets  for  each  separating  class 
of  the  separating  structure  it  respects.  This  resulting  overapproximation  is  used  as  a 
separating  structure  for  the  next  pair  of  approximations.  Thus  the  approximations 
are  computed  relative  to  finer  and  finer  separating  classes,  resulting  in  successively 
more  accurate  approximations. 

The  forward  and  backward  overapproximations  and  underapproximations  are  suc¬ 
cessively  computed  until  the  system  is  deemed  correct,  or  a  true  violation  is  detected. 
Notice  that  in  general  the  full  algorithm  need  not  terminate:  it  may  generate  in¬ 
finitely  many  approximations  without  ever  solving  the  verification  problem.  How¬ 
ever,  if  the  state-space  is  finite,  or  can  be  partitioned  into  finitely  many  equivalence 
classes,  the  algorithm  is  guaranteed  to  terminate  (see  Theorem  2.14).  The  skeleton 
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Full-Approx 

Over[BACKWARDS]  :=  original  separating  structure; 
Under[BACKWARDS]  :=  empty  approximating  structure; 
confirmed-positive  :=  FALSE; 
confirmed-negative  ;=  FALSE; 
dim  :=  FORWARDS; 

Sep-Structure  :=  original  separating  structure; 

while  (  (not  confirmed-positive)  and  (not  confirmed-negative)  )  do 
Over  [dim]  := 

Over-Approx(dirn,N,Sep-Structure,Under[Opposite-Dirn(dim)]); 
Sep-Structure  ;=  Flatten(Over[dirn]); 

Underfdirn]  :=  Under-Approx(dirn,N,Sep_Structure); 
dim  :=  Opposite-Dirn(dirn); 

endwhile  _ 


Figure  2.11;  Full  approximating  algorithm 

of  the  full  algorithm  appears  in  figure  2.11.  The  arrays  Over  and  Under  are  global 
variables  storing  the  current  approximations  in  each  direction,  and  confirmed-positive 
and  confirmed-negative  are  global  booleans.  The  algorithm  starts  by  computing  ap¬ 
proximations  in  the  forward  direction^.  Initially  nothing  is  known  about  which  states 
are  backwards  reachable,  so  we  assume  the  user  supplies  an  initial  overapproximat¬ 
ing  structure  whose  base  elements  are  all  of  5.  We  take  the  empty  approximating 
structure  as  a  conservative  underapproximation  of  the  backwards  reachable  states^. 
The  functions  Over_Approx()  and  Under-Approx()  return  approximations  in  the  ap¬ 
propriate  direction. 

Pseudocode  for  the  overapproximation  algorithm  appears  in  figure  2.12.  The  pa¬ 
rameter  Opp-U  is  an  underapproximating  structure  in  the  opposite  direction.  The 
parameter  Sep  is  the  result  of  fiattening  an  overapproximating  structure  into  its  cor¬ 
responding  separating  structure.  When  called  with  parameters  FORWARDS,  N,  A 
and  C,  the  function  Successors()  returns  the  set  of  successors  of  A  via  the  next- 
state  relation  N,  separated  with  respect  to  the  structure  C,  and  the  function  call 


^The  algorithm  could  just  as  well  start  going  backwards  from  the  violating  states  instead. 
®In  fact,  we  could  use  any  approximating  structure  whose  base  elements  are  a  subset  of  V . 
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Over-Approx(dirn,  Nsr,  Sep,  Opp.U) 

Last_Over[dirn]  :=  U  Startfdirn]  J.  Sep; 

Over[dirn]  :=  Last_Over[dirn]; 
converged  :=  FALSE; 
while  (not  converged)  do 

Next-States  :=  Successors(dirn, Nsr, Last-Over, 5ep); 

Last-Over  [dim]  :=  Over[dirn]; 

Overfdirn]  :=  consistent-join(Opp-f/,  Overfdirn],  Next-States); 
converged  :=  (U  Last-Over[dirn]  =  UOver[dira]); 
endwhile 

verified-correct  :=  disjoint(UOver[dirn],  End[dirn]); 
confirmed-positive  :=  verified-Correct;  _ 


Figure  2.12:  Overapproximating  algorithm 

Successors(BACKWARDS,A,  A,C)  returns  its  set  of  predecessors  separated  with  re¬ 
spect  to  C.  The  function  consistent-join(),  called  with  parameters  A,  A  and  B  returns 
an  X-consistent  join  of  A  and  B.  The  algorithm  for  underapproximations  is  similar, 
except  that  there  is  no  need  to  check  for  consistency  when  applying  the  approximating 
operator. 


Correctness 

Theorem  2.8  The  following  are  true  for  forward  and  backwards  traversals: 

1.  The  states  appearing  in  any  underapproximating  structure  are  a  subset  of  the 
truly  reachable  states. 

2.  The  states  appearing  in  any  overapproximating  structure  returned  by  the  routine 
Over-Approx  are  a  superset  of  the  truly  reachable  states  that  lie  on  violating 
paths. 


Termination 

Let  FOi{BOi)  and  FUi{BUi)  be  the  z-th  forward  (backward)  overapproximations  and 
underapproximations  in  a  sequence  of  approximations  generated  by  the  algorithm. 
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Under-Approx(dini,  Nsr,  Sep) 

Last-Under  [dim]  :=  U  Underfdirn]  i  Sep; 

Under[dim]  :=  Last_Under[dim]; 
converged  :=  FALSE; 
while  (not  converged)  do 

Next-states  :=  Successors(dirn,Nsr,Last_Under[dirn],5ep); 
Last-Under  [dim]  :=  Under  [dim]; 

/*  the  addition  operator  returns  a  legal  expansion  */ 
Under[dirn]  :=  Under[dirn]  ^  Next-states; 
converged  :=  (U  Last-Under[dim]  =  U  Under[dirn]); 
endwhile 

verified-correct  :=  disjoint(  UUnder[dirn],  End[dirn]); 
confirmed-negative  :=  not  verified-Correct; 


Figure  2.13:  Underapproximating  algorithm 

We  refer  to  the  computation  of  FOi  and  FUi  as  the  i-th  forwards  traversal  of  the 
algorithm.  We  first  note  that  when  S  is  finite,  each  individual  traversal  will  complete. 

Proposition  2.9  If  S  is  finite,  then  the  individual  calls  to  Over-Approx  and  Un¬ 
der.  Approx  terminate. 

Proof:  The  while  loop  of  each  algorithm  is  only  repeated  when  additional  base 
elements  are  added  to  the  currently  computed  approximation.  Therefore  the  loop 
terminates  since  the  state-space  is  finite.  □ 

The  argument  for  termination  of  the  full  algorithm  consists  of  showing  that  there 
is  well-founded  ordering  over  the  approximations  generated  by  the  algorithm,  such 
that  they  are  non-increasing  and  decreasing  infinitely  often. 

We  define  a  partial  order  over  approximating  structures,  where 

A  -<base  B  if  and  only  if  U  A  C  U  B 


In  addition,  we  say 

A  dibaae  ^  if  ^nd  Only  if  OAQliB 
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We  also  denote  A  -<base  B  hy  B  ybase  A,  and  write  B  tbase  A  for  A  :<base  B.  The 
orders  are  well-founded. 

Proposition  2.10  If  S  is  finite,  then  there  are  no  infinite  strictly  -<base-descending 
or  -<base- ascending  chains  of  approximating  structures.  □ 

We  now  show  the  overapproximations  are  non-increasing  with  respect  to  dihase- 

Proposition  2.11  BOi.^\  '^base  "^base  BOi  '^base  FOi 

Proof:  Every  base  element  of  an  approximation  is  also  a  base  element  of  the  sepa¬ 
rating  structure  it  respects.  The  separating  structures  are  obtained  by  flattening  the 
previous  overapproximations  and  flattening  preserves  the  base  elements  of  a  structure. 
□ 

Finally  we  establish  that  if  the  algorithm  does  not  terminate,  then  the  forwards 
overapproximations  must  decrease  inflnitely  often  with  respect  to  -<base-  the  next 
proposition  we  first  show  non-termination  implies  that  after  every  two  traversals 
either  the  overapproximations  strictly  decrease,  or  the  underapproximations  strictly 
increase.  Then  the  proof  of  proposition  2.13  shows  the  overapproximations  must 
decrease  infinitely  often,  since  the  underapproximations  cannot  increase  infinitely 
often  in  a  finite  state-space.  This  contradicts  the  well-foundedness  of  -<base- 

We  first  introduce  some  notation.  Given  a  set  of  states  Y  C  5,  we  say  that  a  set 
X  of  states  is  Y -avoiding  iff  X  fi  T  7^  0.  It  is  Y -touching  iflF  it  is  not  Y-avoiding. 

Proposition  2.12  If  the  algorithm  has  not  terminated  after  computing  FOi+2,  then 
either  FO,+2  -<base  FOi,  or  BUi  -<base  BUi+i. 

Proof:  The  proposition  essentially  states  that  in  every  couple  of  traversals  some 
progress  is  made  in  either  the  overapproximations  or  the  underapproximations.  As¬ 
sume  the  algorithm  has  not  terminated  after  computing  F’Oi+2.  Then  by  proposi¬ 
tion  2.11  if  BOi+i  -<base  FOi,  it  follows  that  FOi+2  -<base  FOi,  and  progress  has 
been  made  in  the  overapproximation  as  required.  Thus  we  need  only  consider  the 
case  where  UBOi+i  =  UFOi.  First  observe  that  BUi  '^ba$e  BUi+i  since  UBUi+i 
contains  UBUi  n  UBOi+i  which  equals  Li  BUi  H  Li  BOi  which  equals  UBUi  since 
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U  BUi  C  U  BOi.  Hence  in  order  to  show  that  BUi  -<base  BUi+i  we  need  only  demon¬ 
strate  that  BUi+i  includes  some  state  not  in  BUi. 

We  establish  three  claims  that  complete  the  proof: 

1.  there  is  at  least  one  UBf/i-avoiding  approximating  set  A  of  FOi+i  whose  set  of 
successors  is  U  BC/’j-touching,  i.e.  N{A)  D  UBUi  0. 

2.  there  is  at  least  one  U  BUi-avoiding  approximating  set  B  of  BOi+i  whose  set 
of  successors  is  U  BC/j-touching. 

3.  some  state  b  £  B  appears  in  BUi+i  but  not  BUi,  aJid  hence  BUi  -<base  BUi+i. 

The  first  claim  follows  from  the  fact  that  only  U  BU j-consistent  joins  are  performed 
at  any  stage  of  the  Over_Approx  routine.  Since  the  full  algorithm  has  not  terminated, 
we  know  that  the  initial  states  used  in  Over_Approx  are  disjoint  from  UBBj,  and 
hence  all  approximating  sets  in  Bo  i  BOi  are  U  B 17,- avoiding.  The  final  converged 
overapproximation  FOi+i  is  not  UB  Bi-avoiding,  or  else  it  is  also  ^-avoiding,  and 
hence  verified  correct.  Thus  at  some  stage  of  the  overapproximating  routine  a  U  BBj- 
touching  set  is  including  in  the  accumulated  overapproximation.  Since  all  joins  are 
UBBi-consistent,  no  UBBi-avoiding  approximating  sets  are  ever  replaced  with  U  BBj- 
touching  sets.  Hence  there  must  be  some  UBBj-touching  set  which  is  first  added  to 
the  overapproximation,  and  it  must  be  added  as  a  result  of  computing  the  successors 
of  a  U  BBj-avoiding  approximating  set.  Let  this  set  be  Aq.  Thus  Ao  has  successor 
states  in  U  BB,-.  The  overapproximating  algorithm  may  join  other  sets  to  Aq,  but 
only  if  the  join  is  UBBj-consistent,  so  there  is  always  an  approximating  set  that  is 
U  BBi-avoiding  and  contains  Aq.  This  argument  establishes  the  first  claim  above. 
Let  the  approximating  set  thus  found  be  called  A. 

The  second  claim  states  that  BOi+i  also  has  such  a  set.  We  know  that  some  state 
a  £  A  has  a  successor  a'  £  U  BB,-.  We  have  already  shown  that  (JBUi  C  U  BBj+i 
and  so  UBBi  C  UBOi+j.  In  particular,  a'  £  UBOj+j.  When  the  overapproximation 
algorithm  computes  the  predecessors  of  an  approximating  structure  containing  a', 
it  obtains  a  structure  B  with  at  least  one  set  Bo  containing  a.  Thus  when  B  is 
joined  to  the  current  backwards  overapproximation  under  construction,  there  is  some 
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approximating  set  containing  a  which  is  a  subset  of  both  Bq  and  the  class  A,  since 
approximating  sets  in  FOi^i  are  used  as  separating  classes  in  computing  BOi^i-  The 
converged  backwards  overapproximation  also  contains  some  set  B  C  A  which  contains 
a.  Because  the  class  A  is  UBfAi-avoiding,  so  is  B,  and  the  claim  is  established. 

Finally,  for  the  third  claim,  we  need  to  show  that  some  state  a'  G  .A  is  in  BUi+i. 
The  state  o  has  been  chosen  so  that  N(a)  includes  elements  of  UBUi.  Let  B'  = 
N(a)  n  UBUi  7^  0.  While  computing  the  underapproximation  BUi+i,  the  routine 
Under_Approx  at  some  stage  considers  all  predecessors  of  some  approximating  set 
containing  some  b  e  B'.  These  predecessors  B"  would  include  the  state  a  £  A.  Since 
B  is  a  separating  class  used  in  this  computation,  B  n  B"  is  a  set  in  the  approximating 
structure  for  the  predecessors  being  considered  now.  Suppose  the  underapproximation 
under  construction  already  included  some  states  in  A.  Then  we  are  done  since  U  BUi 
does  not,  and  since  the  underapproximation  algorithm  never  discards  base  elements,  it 
follows  that  BUi  -<base  BUi+i-  So  suppose  not.  But  in  this  case  the  algorithm  would 
then  include  some  set  of  states  in  B  by  the  second  axiom  for  underapproximating 
operators,  namely  that  7^  0.  It  follows  that  BUi  BUi+i. 

Proposition  2.13  Given  a  finite  state-space,  if  the  algorithm  generates  infinitely 
many  forwards  overapproximations,  then  infinitely  many  of  them  are  strictly  decreas¬ 
ing  with  respect  to  -<base- 

Proof:  Suppose  the  forwards  overapproximations  are  not  infinitely  often  decreasing. 
Then  by  proposition  2.11  the  base  elements  of  the  forwards  overapproximation  must 
converge  to  some  set  UFO.  Suppose  this  occurs  after  k  traversals.  From  this  point 
on,  the  backwards  underapproximations  are  non-decreasing,  since  UBUi  Q  UFO  and 
UBUi  n  UFO  C  UBUi+i  for  i  >  k.  Hence  they  cannot  increase  infinitely  often 
since  they  are  contained  within  a  finite  set.  Thus  by  proposition  2.12  the  forwards 
overapproximations  are  infinitely  often  decreasing.  □ 


Theorem  2.14  Given  a  finite  state-space  S,  the  full  approximation  algorithm  of  fig¬ 
ure  2.11  terminates. 


2.3.  FULL  APPROXIMATION  ALGORITHM 


47 


Proof:  The  well-founded  ordering  :<base  over  the  forwards  overapproximations  is  non¬ 
increasing  and  strictly  decreasing  infinitely  often,  and  so  the  algorithm  must  termi¬ 
nate. 

Theorem  2.15  Given  a  finite  state-space  S,  the  full  approximation  algorithm  termi¬ 
nates  with  the  correct  answer  to  the  verification  problem. 

Proof:  Immediate  from  theorems  2.8  and  2.14.  Q 


2.3.4  Additional  splitting 

The  full  algorithm  can  easily  be  modified  to  allow  additional  splitting  of  classes.  This 
feature  enables  the  program  to  use  various  heuristics  to  accelerate  convergence,  other 
those  outlined  above  for  conditional  joins. 

Additional  splitting  may  be  safely  performed  between  traversals.  In  the  algorithm 
given  above,  each  successive  traversal  of  the  algorithm  uses  a  separating  structure  de¬ 
rived  from  the  previous  overapproximation.  However  it  is  always  possible  to  refine 
this  separating  structure  without  losing  soundness,  or  completeness  over  finite-state 
systems.  If  the  separating  structure  used  instead  of  the  previous  overapproximation 
has  the  same  base  elements  as  the  overapproximation,  correctness  is  maintained.  Fur¬ 
thermore,  if  it  is  also  finer  than  it  (wrt  defined  below)  the  property  of  termination 
is  maintained. 

We  define  a  notion  of  splitting  one  approximating  structure  into  another.  Intu¬ 
itively,  A  is  the  result  of  some  splitting  of  B  iff  it  is  obtained  by  taking  some  sets  in 
B  and  splitting  them  into  nontrivial  parts. 


A  dispH  if  and  only  if 


VA  €  A,3B  e  B  such  that  AC  B,  and 
VJ5  G  =  U{A  G  A  1  A  C  5} 


We  let  Split()  be  any  function  which,  given  input  approximating  structure  B,  returns 
some  Flatten(v4)  for  which  A  -^sp  B. 


Proposition  2.16  Replacing  the  Flatten  function  with  the  Split  function  in  the  full 
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approximation  algorithm  maintains  the  properties  of  termination  over  finite-state  sys¬ 
tems,  and  correctness. 

Proof:  Correctness  is  obvious,  since  the  base  elements  are  maintained  and  thus  still 
form  an  overapproximation. 

An  examination  of  the  termination  proof  over  finite-state  systems  reveals  that 
termination  depends  on  successive  overapproximations  containing  sets  which  do  not 
contain  elements  in  the  underapproximations,  but  which  have  successor  states  which 
do.  See  the  proof  of  proposition  2.12.  Suppose  X  is  such  a  class  as  required  by  the 
proof  of  termination,  i.e.  X  is  a  set  in  FOi  that  is  U  PC/j-avoiding  but  its  successors 
are  not.  Suppose  then  that  s  e  X  is  not  in  U  BUi  but  has  a  successor  state  which  is. 
Splitting  a  class  X  into  several  classes  Xi,  X2, . . . ,  X*  which  partition  X  ensures  that 
there  will  always  be  a  class  among  the  X,  which  contains  s  and  is  U  P 17 j-avoiding.  □ 

Alternative  termination  conditions 

An  alternative  dynamic  method  for  refining  the  separating  structure  used  for  each 
iteration  is  to  separate  states  appearing  in  the  underapproximation  from  those  which 
do  not.  This  technique  may  be  seen  as  a  special  case  of  allowing  additional  split¬ 
ting.  The  potential  disadvantage  of  this  approach  is  that  classes  may  get  fragmented 
quickly,  and  it  requires  use  of  the  difference  or  negation  operator.  In  particular,  for 
the  real-time  systems  we  consider  we  do  not  have  a  space-time  efficient  means  of 
computing  the  difference  between  approximating  sets. 

2.3.5  Generating  debugging  traces 

An  important,  and  often  overlooked,  factor  in  any  algorithm  for  verification  is  the 
ability  to  generate  useful  debugging  information  when  a  system  violation  is  detected. 
Here  we  briefly  describe  how  the  underapproximations  can  be  used  to  generate  de¬ 
bugging  traces,  and  some  of  the  hmitations  associated  with  them. 

In  its  most  general  form,  the  algorithm  as  it  stands  does  not  guarantee  violating 
paths  will  be  obtained  every  time  a  violation  is  detected.  However,  the  underapprox¬ 
imation  algorithm  can  easily  be  used  to  generate  a  graph  whose  nodes  are  sets  of 
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states  with  an  edge  between  nodes  whenever  there  is  an  edge  between  elements  of 
the  two  sets.  If  a  violation  is  detected,  the  graph  contains  violating  states.  From  this 
graph  it  is  possible  to  generate  a  pseudo-trace  Ai,A2,A3,  .■.,Ak  where  all  states  in 
Ai  are  initial,  all  states  appearing  in  any  Ai  are  reachable  from  the  initial  states,  and 
between  any  two  successive  sets  Ai  and  A+i  in  the  sequence  there  is  at  least  one  edge 
from  a  state  in  Ai  to  a  state  in  Notice  however  that  there  is  no  guarantee  at  all 
that  there  is  even  a  path  ai,  02, . . . ,  in  {S,  Sq,  N)  such  that  Oj  €  Ai.  In  many  cases 
however,  this  kind  of  debugging  information  can  be  useful. 

There  are  a  number  of  ways  to  generate  real  violating  paths.  One  could  use  exact 
analysis  over  that  part  of  the  state-space  covered  by  the  underapproximation  until  a 
violating  state  is  reached. 

Another  method  is  to  use  a  restricted  form  of  underapproximating  operator  that 

enables  real  violating  traces  to  be  extracted.  The  idea  is  to  build  a  graph  whose  nodes 

are  sets  of  states  with  edges  between  sets  whenever  there  is  an  edge  to  every  element 

in  the  second  set  from  some  element  of  the  first  set.  We  say  a  graph  with  sets  of 

states  in  5  as  nodes  is  a  3V-setgraph  for  (5,  So,  N)  iff  whenever  A  B,  for  every 

^ — 

b  e  B  there  is  some  a  e  A  such  that  a-^b.  Every  trace  in  a  3V-setgraph  corresponds 
to  a  trace  in  the  underlying  transition  system. 

Proposition  2.17  Given  a  -setgraph  G  for  the  transition  system  {S,So,N),  for 
every  path  Ai,  A2,  .■■,Ak  in  G,  there  is  a  path  ai,  02, . . . ,  a*  in  {S,  Sq,  N)  such  that 

ai  e  Ai.  □ 

Thus  we  need  only  guarantee  that  the  underapproximation  builds  an  3V-setgraph. 
An  easy  way  to  achieve  this  is  to  restrict  the  underapproximating  operator  so  that 
A^B  =  A  whenever  A  is  non-empty.  However  this  results  in  a  very  weak  underap¬ 
proximating  operator.  In  order  to  compensate  for  the  weak  operator,  we  may  restrict 
the  expansion  operator  over  sets  so  that  the  underapproximation  advances  sufficiently. 
We  propose  using  the  expansion  operator  which  always  returns  a  set  of  sets  which  is 
maximal,  up  to  a  certain  limit  on  its  size.  Given  a  sets  of  sets  {Aj}  and  {Bj},  we  say 
that  any  subset  of  {Aj}  U  {Py}  which  contains  every  Ai,  has  at  most  k  members,  and 
is  maximal  is  an  expansion  of  {AJ  with  {Bj}.  The  larger  the  value  of  k,  the  closer 
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the  approximation  is  to  being  exact,  at  a  cost  of  time  and  space. 


2.3.6  Further  features 

All  the  algorithms  described  in  this  section  are  flexible  enough  to  allow  the  user  to 
specify  an  initial  separating  structure.  Hence  the  algorithms  can  be  run  approximat¬ 
ing  as  aggressively  (loosely),  or  as  accurately  (tightly),  as  desired.  The  user  can  also 
use  her  own  understanding  of  the  system  to  determine  which  parts  of  the  state-space 
to  analyze  more  accurately,  and  over  which  states  rough  approximations  are  adequate. 

An  additional  advantage  of  this  approximation  scheme  is  that  it  utilizes  both  for¬ 
wards  and  backwards  reachability  information.  Empirical  experience  with  finite-state 
verification  has  shown  that  in  some  instances  performing  reachability  in  one  direction 
is  easy  while  the  other  is  prohibitively  expensive.  Rather  than  having  to  commit  to  an 
expensive  exact  forward  or  backwards  analysis,  or  perform  both  simultaneously,  the 
approximation  algorithm  can  quickly  compute  an  approximation  in  one  direction,  and 
then  the  other.  Thus  information  from  both  traversals  may  be  combined  relatively 
quickly  before  the  analysis  becomes  more  exact. 


2.4  Approximating  next-state  relations 

We  conclude  this  chapter  by  showing  how  approximations  can  be  made  over  not 
only  the  accumulated  set  of  reachable  states,  but  also  over  the  individual  image 
computations.  In  the  description  above,  the  exact  next-state  relation  is  used  to 
compute  the  successors  of  a  set  of  states.  However,  it  is  not  always  easy  to  find 
the  exact  set  of  successor  states  for  a  given  approximating  set.  Furthermore,  the  set 
of  successors  may  not  be  a  single  approximating  set,  but  rather  a  large  number  of 
approximating  sets.  We  later  explain  in  subsection  5.1.2  how  this  situation  occurs  for 
the  real-time  systems  we  verify,  where  we  find  it  necessary  to  approximate  next-state 
relations. 
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This  section  outlines  how  next-state  relations  can  be  approximated.  It  also  pro¬ 
vides  sufficient  conditions  for  the  approximation  algorithm  to  terminate  over  finite- 
state  systems. 

An  underapproximation  of  the  next-state  relation  N,  usually  denoted  N,  is  any 
relation  such  that  N  C  N.  Similarly,  a  relation  F  is  an  overapproximation  of  N 
iS  N  C  N.  These  relations  induce  relations  over  sets  of  states  in  the  natural  way, 
i.e.  N{A)  =  {t  I  3  s  G  A  such  that  iy(s,t)}.  Since  we  are  mainly  concerned  here 
with  relations  over  sets  of  states,  we  further  define  a  set-underapproximation  of  the 
set-relation  induced  by  N  as  any  relation  N^  over  sets  of  states  such  that  for  every 
set  ACS,  N"{A)  C  N{A).  Set- overapproximations  are  similarly  defined.  Set- 
approximating  next-state  relations  are  usually  referred  to  simply  as  approximations 
of  A. 


2.4.1  Correctness 

The  following  propositions  state  that  it  is  sound  to  replace  N  with  an  overapprox¬ 
imation  in  the  overapproximation  algorithms,  and  with  an  underapproximation  in 
the  underapproximating  algorithms.  As  a  point  of  clarification,  the  algorithms  for 
backwards  overapproximation  do  not  use  (iV)“^,  but  rather  an  overapproximation 
N^  of  the  inverse  relation  iV“^.  Similarly  should  be  replaced  by  some  in 
the  underapproximating  algorithms. 

Proposition  2.18  The  overapproximating  algorithms  (for  fundamental  overapprox¬ 
imation  (figure  2.1),  for  iterated  approximations  (figure  2.4),  for  separating  classes 
(figure  2.5),  and  within  the  full  approximation  algorithm  (figure  2.12)),  when  run  with 
N  replaced  by  an  overapproximating  relation  N  (N'^)  in  the  forwards  (backwards)  di¬ 
rection  yield  converged  overapproximations  whose  base  elements  are  a  superset  of  the 
states  lying  on  violating  paths.  Q 

Proposition  2.19  The  underapproximating  algorithms  (for  fundamental  underap¬ 
proximation  (figure  2.2),  for  separating  classes  (figure  2.6),  and  within  the  full  ap¬ 
proximation  algorithm  (figure  2.13)),  when  run  in  the  forwards  (backwards)  direction 
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KD — “O 

N  =  iF=N 
=  {} 

Figure  2.14:  Non-termination  example 

with  N  replaced  by  an  underapproximating  relation  N  (N^ )  yield  converged  under¬ 
approximations  whose  base  elements  are  a  subset  of  the  states  forwards  (backwards) 
reachable  from  5o  (Vj.  □ 

Combining  propositions  2.18  and  2.19  gives  soundness  for  the  full  approximation 
algorithm. 

Proposition  2.20  If  the  full  algorithm  terminates  when  N  is  replaced  by  N  (N''^)  in 
the  overapproximating  routines,  and  by  N  (Nff )  in  the  underapproximating  routines, 
it  gives  a  correct  answer  to  the  verification  problem.  □ 

2.4.2  Non-termination 

The  following  examples  illustrate  that  even  if  N  is  approximated  for  just  over¬ 
approximations  (or  underapproximations)  and  the  approximation  operators  actually 
return  the  exact  union,  termination  is  not  guaranteed  even  for  finite-state  systems. 

Example  2.21  Consider  the  verification  problem  (S,  Sq,  N,  V)  for  the  2-state  system 
with  S  =  {i,v},  Sq  =  {i},  V  =  {u},  andN  =  {(bu)},  shown  in  figure  2.14-  Let  us  use 
exact  operators  as  our  approximating  operators,  i.e.  we  assume  that  ^  and  U  are  ex¬ 
act  over  the  sets  we  consider.  Suppose  we  approximate  N  with  the  overapproximation 
N  =  N''^  =  N ,  and  the  underapproximation  N  =  Nf)  =  {}•  Lhe  initial  separating 
structure  must  separate  i  from  v,  and  is  thus  taken  to  be  ({i},  {u}).  The  first  iteration 
of  the  forwards  overapproximation  yields  the  approximating  structure  ({{*}}) 

The  forward  underapproximation  is  {{{*}},  {})•  The  system  contains  an  unconfirmed 
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violation.  The  backwards  iterations  yield  the  same  overapproximation,  and  the  un¬ 
derapproximation  Continued  iterations  of  the  algorithm  result  in  no 

change,  so  the  violation  will  never  be  detected. 

Example  2.22  Consider  a  system  where  S,  Sq,  and  V  are  as  above  but  with  N  =  {}. 
Take  N  to  be  N,  and  the  overapproximation  N  to  be  {(i,v)}-  In  this  case  we  iterate 
with  exactly  the  same  approximations  as  before,  and  never  discover  that  the  system  is 
correct. 

Proposition  2.23  The  full  algorithm,  with  N  replaced  by  N^  in  the  overapproximat¬ 
ing  routines,  and  by  N’^  in  the  underapproximating  routines,  need  not  terminate  even 
over  finite-state  systems. 

2.4.3  Termination 

We  outline  methods  which  guarantee  the  full  approximation  algorithm  terminates 
over  finite-state  systems,  even  when  the  next-state  relation  is  approximated. 

Convergence  to  exact  relations 

The  first  strategy  proposed  is  to  use  a  sequence  of  approximations  to  N  rather  than  a 
fixed  approximation.  Let  Ni,N2,...  be  overapproximations  of  N  that  are  converging 
towards  N,  i.e.  Ni  D  Ni+i  D  N.  It  is  easy  to  that  if  Ni  is  used  in  place  of  N  on  the 
i-th  traversal  of  the  full  approximation  algorithm,  then  correctness  is  maintained.  A 
sequence  of  next-state  relations  increasing  towards  N  may  also  be  used  soundly  for 
underapproximating  N.  If  the  approximate  next-state  relations  converge  to  the  exact 
relation  N,  then  the  algorithm  terminates  over  finite-state  systems. 

We  define  a  straightforward  ordering  on  set-approximating  next-state  relations  as 
follows: 

Nt  <  iV|  iff  VA  C  5,  N({A)  C  Ni{A) 

Proposition  2.24  Given  sequences  of  decreasing  overapproximating  relations  for  N 
and  sequences  of  increasing  underapproximating  relations  for  N  both  of  which  even¬ 
tually  converge  to  exactly  N,  the  full  approximation  algorithm  terminates  correctly 
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over  finite  state-spaces  if  the  i-th  approximating  relations  are  used  instead  of  N  in 
computing  the  i-th  approximations. 

Proof:  Running  the  full  approximation  algorithm  as  described  with  overapproximat¬ 
ing  relations  Ni  and  Nfi  and  underapproximating  relations  Ni  and  is  sound,  by 
repeated  applications  of  propositions  2.18  and  2.19,  and  then  proposition  2.20.  The 
algorithm  cannot  run  forever  since  after  j  traversals  the  approximating  next-state 
relations  converge  to  the  exact  relation,  from  which  point  the  algorithm  is  guaran¬ 
teed  to  terminate.  In  other  words,  the  computation  can  be  viewed  as  taking  place  in 
two  distinct  phases,  each  of  which  will  terminate.  Any  computation  using  approxi¬ 
mate  next-state  relations  up  to  the  ^’-th  traversal  may  be  regarded  as  a  preliminary 
restriction  of  the  state-space  to  states  potentially  lying  on  violating  paths.  Compu¬ 
tation  from  the  j-th.  traversal  on  may  be  regarded  as  running  the  full  approximation 
algorithm  with  the  exact  next-state  relation.  □ 

Exact  application  of  approximate  relations 

The  second  strategy  suggested  is  to  use  a  set-approximating  next-state  relation  which 
is  exact  when  applied  to  a  subclass  of  approximating  sets.  Rather  than  guaranteeing 
a  priori  that  a  sequence  of  approximating  relations  converges  to  the  exact  relation, 
we  can  use  a  fixed  approximating  relation,  and  instead  ensure  that  it  is  eventually 
only  ever  applied  to  approximating  sets  over  which  it  is  exact.  This  strategy  is  the 
one  we  use  for  verifying  real-time  systems.  Let  Domo  C  Dom  be  a  subset  of  the 
domain  of  approximating  sets.  A  set  next-state  relation  N'  exactly  matches  a  set 
next-state  relation  N  over  Domo  iff  for  all  sets  A  €  Domo,  N'{A)  =  N{A). 

Proposition  2.25  If  the  full  algorithm  is  run  with  set-underapproximating  relations 
and  set- overapproximating  relations  which  are  exact  over  the  domain  of  all  sets  ap¬ 
pearing  in  the  initial  separating  structure  and  all  subsets  of  those  sets,  then  the  algo¬ 
rithm  terminates  over  finite  state-spaces. 

Proof:  It  is  sufficient  to  establish  that  the  approximating  relations  are  exact  over  all 
sets  to  which  they  are  applied.  First  observe  that  at  any  stage  of  the  full  algorithm, 
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every  separating  class  is  the  subset  of  one  of  the  classes  in  the  original  separating 
structure.  All  approximating  sets  lie  within  some  separating  class,  and  hence  are 
subsets  of  some  initial  separating  class.  Thus,  by  the  assumption  in  the  statement  of 
the  proposition,  the  next-state  relation  is  exact  over  all  sets  it  operates  on.  □ 

Theorem  2.26  Given  a  finite  state-space  and  a  well-founded  ordering,  if  the  full 
approximation  algorithm  is  run  with  set-underapproximating  relations  N  and  N‘^ 
and  set-overapproximating  relations  N  and  N'^  such  that  the  separating  structures 
generated  are  non-increasing,  and  at  each  traversal,  either  the  most  recent  separating 
structure  C  is  strictly  less  than  the  previous  one,  or  N ,  N'^,N  andN^  exactly  match 
N  over  the  domain  of  separating  sets  appearing  in  C,  then  the  algorithm  terminates. 

Proof:  Assume  the  algorithm  generates  infinitely  many  approximations  without  ter¬ 
minating.  If  there  is  are  infinitely  many  approximations  which  are  strictly  decreasing, 
then  the  algorithm  must  terminate.  Suppose  then  that  this  is  not  the  case,  and  that 
eventually  all  adjacent  overapproximations  have  the  same  set  of  base  elements.  By 
assumption,  N,  Iff,  N  and  N^  all  exactly  match  N  over  the  current  separating 
classes,  and  then  by  proposition  2.25,  the  algorithm  terminates.  □ 

A  natural  candidate  for  the  well-founded  ordering  is  z^fcase-  However,  it  is  often 
difl&cult  to  guarantee  that  the  successive  approximations  are  decreasing  infinitely  often 
with  respect  to  this  ordering.  We  introduce  another  ordering  for  which  it  is  easy  to 
modify  the  algorithm  so  that  the  approximations  decrease  as  required. 

Let 


A  ^  set  B  if  and  only  if 


VA  e  .4  3B  €  B  such  that  AC  B,  and 
3B  €  B  such  that  ^A  e  A  with  B  C  A 


Proposition  2.27  Over  a  finite  state-space,  there  are  no  infinite  chains  of  approxi¬ 
mating  structures  which  are  strictly  -<aet-descending  or  strictly  -< set- ascending. 

Proof:  Over  a  finite  state-space,  there  are  only  finitely  many  approximating  struc¬ 
tures,  so  we  need  only  show  that  -<set  admits  no  cycles.  By  definition,  if  A  -<set  B, 
then  some  set  B  E  B  has  no  superset  in  A.  li  B  ^setC,  then  there  is  some  set  C  €  C 
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such  that  B  C  C.  The  set  C  cannot  have  any  superset  in  A  or  else  A  would  contain  a 
superset  of  B.  By  induction  it  is  impossible  for  there  to  be  a  cycle  A  -<set  B  -<set  •••A, 
since  every  set  is  a  superset  of  itself.  □ 

Corollary  2.28  Given  a  finite  state-space,  if  the  successive  overapproximations  are 
strictly  decreasing  with  respect  to  -<set  up  until  the  approximating  relations  are  exactly 
matching,  then  the  algorithm  terminates.  □ 

It  is  easy  to  see  how  to  obtain  from  an  overapproximation  A  a  separating  structure 
C  which  has  the  same  base  elements,  but  such  that  A  -^set  C.  We  need  only  take  any 
non-zero  number  of  approximating  sets  in  A  which  are  not  contained  in  any  other 
approximating  set  in  A,  and  let  C  be  result  of  replacing  each  with  nontrivial  parts 
which  partition  it.  Since  the  replaced  approximating  sets  do  not  have  supersets  in  A, 
it  follows  that  A  ^  set  C. 

Proposition  2.29  The  successive  overapproximations  of  the  full  algorithm  will  be 
decreasing  with  respect  to  -^set  if  following  alteration  is  made  to  the  algorithm: 
whenever  the  algorithm  generates  overapproximations  whose  base  elements  are  not  a 
strict  subset  of  the  base  elements  in  the  separating  structure  used  in  its  computation, 
use  as  the  next  separating  structure  one  obtained  by  splitting  as  described  above.  □ 

These  results  suggest  a  policy  for  ensuring  termination  when  using  approximate 
next-state  relations  over  finite-state  systems.  Classes  in  the  separating  structures  can 
be  split  whenever  “sufiicient”  progress  is  not  made  in  successive  overapproximations, 
up  until  the  approximate  relations  are  exactly  matching. 


Chapter  3 

Real-Time  Systems 

3.1  Introduction 

Computerized  controllers  are  appearing  more  and  more  in  embedded  systems  as  the 
cost,  size,  development  time  and  power  requirements  of  computerized  systems  plum¬ 
mets.  In  these  systems,  the  computer  interacts  with  physical  processes  for  which  time 
is  an  important  factor.  Thus  the  design  of  these  controllers  must  consider  not  only 
the  sequencing  and  coordination  of  events,  but  also  the  times  at  which  they  occur. 
Any  formal  methodology  for  specifying  and  reasoning  about  such  interactive  systems 
must  include  an  accurate  model  of  timed  behavior. 

In  this  chapter  we  review  a  formalism  for  modeling  real-time  systems:  timed 
automata,  and  show  how  they  can  specify  timed  safety  problems. 


3.2  Timed  automata 

3.2.1  Time-stamped  traces 

The  domain  of  time  is  the  set  of  non-negative  reals,  simply  denoted  IR.  Given  an 
alphabet  S,  a  timed- stamped  trace  is  a  sequence  of  pairs  in  S  x  IR 

((Jojto),  ■  ■  ■ 
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such  that 

•  (weak  monotonicity):  U  <  for  all  i  >  0 
An  infinite  time-stamped  trace  is  divergent  iff 

•  (divergence):  for  all  A:  €  IR,  there  exists  an  i  such  that  U  >  k. 

Note  that  timed-stamped  traces  may  be  finite  or  infinite,  and  that  several  events 
may  occur  in  sequence  with  the  same  time-stamp. 

3.2.2  Timed  traces 

A  timed  trace  is  an  alternative  view  of  a  time-stamped  trace.  Rather  than  noting  the 
time  of  every  event,  we  instead  model  explicitly  the  passage  of  time  (if  any)  between 
events.  Let  At  be  the  set  of  time-passage  events 

At  —  1 1  £  IR} 

Given  an  alphabet  S  disjoint  from  At,  a  timed  trace  consists  of  a  sequence  of 
events  taken  from  S  U  Aj.  Events  from  S  take  place  instantaneously,  while  events 
from  IR  represent  the  passage  of  time.  It  is  easy  to  see  that  every  time-stamped  trace 
can  be  modeled  as  a  timed  trace,  and  vice  versa. 

An  infinite  timed  trace  is  divergent  iff  its  corresponding  time-stamped  trace  is. 
To  express  this  explicitly,  we  define  a  duration  function  over  S  U  At  as  follows: 

ft  if  e  =  6te  At 
durie)  =  < 

[0  if  e  €  S 

Then  an  infinite  timed  trace  e  is  divergent  iff  the  sum  of  event  durations  is  un¬ 
bounded,  i.e.  for  all  A:  €  IR  there  exists  a  j  such  that  Si=o..jdur(e,)  >  k. 

3.2.3  Timed  safety  automata 

We  recall  the  definition  of  timed  safety  automata  (TSAs)  as  a  means  of  specifying 
timed  transition  systems  and  their  properties  [HNSY92].  There  are  many  variants  of 
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timed  automata;  the  one  we  use  most  closely  resembles  those  of  [NSY92a,  HNSY92]. 
Timed  safety  automata  are  a  form  of  finite-state  automata  with  finitely  many  real- 
valued  clocks.  Each  clock  records  the  exact  amount  of  time  which  has  elapsed  since 
its  last  reset.  Each  transition  has  an  enabling  condition  depending  on  the  values  of 
the  clocks.  Transitions  occur  instantaneously  and  may  include  the  resetting  of  clocks. 

Each  enabling  condition  is  expressed  as  a  non-empty  set  of  points  in  IR”,  where  n 
is  the  number  of  clocks  in  the  automaton.  We  assume  the  clocks  have  been  ordered 
so  that  the  values  of  all  the  clocks  may  be  expressed  as  a  vector  of  real  values.  The 
transition  is  enabled  whenever  the  n-vector  of  clock  values  lies  in  its  enabhng  set. 
Enabling  conditions  are  restricted  to  be  sets  definable  as  a  conjunction  of  constraints 
of  the  form  x  ~  A;  where  x  is  a  clock  and  ~  €  {<,  <,  =,  >,  >}.  For  convenience,  we 
may  refer  to  an  enabling  condition  as  either  a  set  of  points  or  the  logical  formula 
defining  it.  The  domain  of  all  enabling  conditions  is  called  £n.  We  define  a  set  of 
reset  actions  A{n),  which  are  functions  from  B.”  to  IR”  corresponding  to  the  resetting 
of  some  of  the  clocks  to  0.  For  each  a  €  A{n),  there  is  a  set  of  indexes  la  Q  {1 . . .  n} 
such  that 

,  ,  f  0  Hi  £  la 
Vx  €lR”,Vi  =  l,...,7i,  a{x)i={  . 

[  ( X  )i  otherwise 

The  enabhng  conditions  on  events  express  precisely  that  they  are  enabled  to  take 
place;  they  do  not  stipulate  that  the  event  must  occur  at  all.  However  in  many 
real-time  systems,  we  need  to  model  the  fact  that  an  event  is  guaranteed  to  occur 
within  a  certain  time  bound.  This  situation  is  modeled  in  a  timed  safety  automaton 
by  giving  safety  invariants  for  each  location,  thereby  specifying  upper  bounds  on  how 
long  time  may  progress.  For  example,  if  an  event  is  guaranteed  to  occur  at  control 
location  q  at  time  x  =  5,  the  invariant  at  q  should  require  “x  <  5”.  This  condition 
expresses  that  time  cannot  pass  beyond  x  =  5  without  an  event  occurring. 

Definition  3.1  A  timed  safety  automaton  (TSA)  G  is  a  tuple  {E,  Q,  Qiniu  C,T,  Inv) 
where 

•  E  is  a  finite  set  of  events,  disjoint  from  At, 

•  Q  is  a  finite  set  of  control  locations, 
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•  Qinit  Q  Q  is  a  set  of  initial  locations, 

•  C  =  {a:i,  ...,Xn}  is  a  finite  set  of  clocks, 

•  TCQxExSnx  A{n)  x  Q  x  {0, 1}  is  a  proper  transition  relation,  defined 
below, 

•  Inv  e  {Q  IZ)  is  an  invariant  assignment  mapping  control  locations  to  the 
domain  IZ  of  safety  invariant  zones  defined  below. 

Transition  relations 

An  edge  e  =  {g,  a,  (j),  a,  (f,  urg)  in  the  timed  automaton’s  transition  relation  corre¬ 
sponds  to  a  transition  from  control  location  q  labeled  with  event  a.  It  is  enabled 
iff  the  values  of  the  clock  variables  satisfy  4>.  The  transition  is  instantaneous  and 
the  reset  action  a  is  applied  to  the  clock  values.  The  resulting  control  location  is  (f. 
The  transition  is  said  to  be  urgent  iff  urg  =  1.  An  urgent  transition  must  occur  as 
soon  as  it  is  enabled,  unless  another  instantaneous  event  occurs  and  disables  it.  In 
other  words,  no  time  may  pass  while  an  urgent  event  is  enabled.  There  is  an  added 
restriction  that  all  urgent  events  are  never  constrained  by  a  timing  condition  with 
strict  lower  bounds.  This  restriction  ensures  that  the  time  when  an  urgent  event  first 
becomes  enabled  because  of  time  passing  is  well-defined.  For  example,  if  an  urgent 
event  has  enabling  condition  x  >  3,  and  the  value  of  x  is  currently  2,  then  it  would  be 
impossible  for  time  to  pass  incrementing  x  beyond  3,  and  yet  having  the  urgent  event 
occur  as  soon  as  a;  >  3  since  there  is  no  first  value  of  x  which  is  strictly  greater  than 
3.  Formally,  then,  we  first  define  the  vector  t  to  be  the  n-vector  with  all  components 
equal  to  t,  i.e.  t  =  {t,t, . . .  ,t)  €.  IR”. 

A  transition  is  proper  iff  it  is  non-urgent,  or  it  is  urgent  and  its  enabling  timer 
values  form  a  set  Z  which  is  topologically  closed  in  the  downwards  direction,  i.e.  for 
all  points  x,  if  there  exists  an  e  >  0  such  that  x  6  e  Z  loi  all  0  <  6  <  e,  then 
X  e  Z.  This  set  closure  condition  is  equivalent  to  saying  that  the  enabling  condition 
can  be  defined  without  using  any  strict  lower  bound  constraints  on  the  absolute  values 
of  any  clocks.  A  transition  relation  is  proper  iff  all  its  transitions  are  proper. 
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Safety  invariants 

The  domain  IZ  of  invariant  zones  is  defined  to  be  the  set  of  all  predecessor  closed 
time  zones.  A  time  zone  Z  is  any  convex  polyhedron  of  1R“,  consisting  of  all  solutions 
of  a  system  of  linear  inequalities  where  each  inequality  is  of  one  of  the  following  forms: 

•  X  <  k,  X  <  k,  X  >  k,  X  >  k,  where  x  is  a  clock  and  k  is  an  integer  constant 

•  X  —  y<k,  X  —  y<k,  where  x  and  y  are  clocks  and  k  is  an  integer  constant. 
Let  Z{n)  be  the  set  of  zones  of  IR”.  The  set  of  time  successors  of  a  zone  Z  is  the  set 

Z  /  =  {y  |3x  €2^,t€lR,  such  that  y  =  x  +  t] 

The  set  of  time  predecessors  of  a  zone  Z  is  the  set 

Z/  =  {y  \3x  eZ,t6lR,  such  that  y  +  t  =  x} 

Finally,  a  time  zone  Z  is  predecessor  closed  iff  it  includes  all  its  time  predecessors. 
An  equivalent  definition  is  that  it  can  be  defined  without  using  any  lower  bound 
constraints  on  the  absolute  values  of  clocks. 

Semeintics 

We  are  now  ready  to  define  operational  semantics  for  a  timed  safety  automata  G 
in  terms  of  a  transition  system  {S,Sq,N).  A  timed-state  of  the  system  is  a  pair 
s  =  {q,  x),  where  q  E:  Q  is  a,  control  location  and  x  €  IR”  a  vector  of  clock  values. 
The  set  S  consists  of  all  timed-states. 

The  set  Sq  of  initial  states  is  the  set  of  all  timed-states  whose  control  component 
is  an  initial  location  in  G,  and  whose  clocks  values  are  all  equal  to  0,  as  given  by 


—  {(95  0)1?^  Qinit} 

For  each  transition  e  =  {q,  a,  0,  a,  q',  urg)  G  T,  let 


Ne  —  {((9,  x'))  I  X  €  0,  x'  =  a(x),  and  x'  €  Inv{(^)} 
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For  each  t  G  IR,  we  define 

Ns,  =  {{{g,  x),  {q,  f  +  f))  |  x  +  f  G  Inv{q),  and  VO  <  Ve  G  T, 

e  is  urgent  implies  Ne{{{q,  x  +  t')})  =  0} 

In  other  words,  time  may  increase  at  a  uniform  rate  over  all  clocks,  provided  the 
control  location’s  safety  invariant  is  satisfied,  and  no  urgent  events  are  enabled.  The 
next-state  relation  for  all  time-passage  events  is  then  Ns  =  Utg  m.Ns,  •  The  next-state 
relation  of  the  transition  system  is 

N=  UeexNeliNs 

The  transition  system  induced  by  the  timed  safety  automaton  G  is  referred  to  as 
{Sg,So,g^Ng)- 

Because  a  transition  system  is  unlabeled,  we  find  it  convenient  for  our  discussion 
of  timed  systems  to  first  define  some  familiar  language-theoretic  terms  for  timed 
automata.  A  run  of  the  TSA  G  for  the  timed  trace  eo,  ei,  62,  •  •  •  is  any  infinite 
sequence  of  timed  states  sq;  52,...  which  is  a  path  in  {Sg,  So,Gi  ^g)  such  that  for 
all  2  >  0,  either 

•  e,  =  (7  and  (si,  Sj+i)  G  N,,,  where  =  U{Ne  \  e  is  labeled  with  a},  or, 

•  ei  =  St  and  {s,,  Sj+i)  G  Ns,. 

Such  a  run  may  be  represented  pictorially  as 


The  language  accepted  by  G  is  defined  as  the  set  of  all  divergent  timed  traces  for 
which  {Sg,  So,g,  Nq)  has  a  run  starting  in  Sq^. 

Graphical  conventions 

Automata  are  depicted  graphically  by  labeled,  directed  graphs.  Locations  are  repre¬ 
sented  by  circular  nodes,  and  transitions  by  labeled  edges.  Reset  actions  of  transitions 
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approach  x  <5 


Train 

Figure  3.1:  TSA  for  a  train 

are  denoted  by  explicit  assignments  to  0.  Urgent  actions  are  denoted  by  double-lined 
arrows.  Small  incoming  arrows  mark  any  initial  locations.  Safety  invariants  are  writ¬ 
ten  next  to  the  locations  they  apply  to. 

Example  3.2  The  automaton  in  figure  3.1  represents  a  train  approaching  a  control 
intersection.  While  TSAs  do  not  distinguish  between  input  and  output  events,  it  is 
convenient  here  to  think  of  the  train  as  sending  an  approach  signal  to  the  controller. 
The  train  then  enters  the  intersection  (the  in  event)  at  least  2  time  units  later.  The 
safety  invariant  x  <  5  forces  execution  to  leave  location  q\  before  the  clock  x  reaches 
5.  We  can  infer  that  the  in  event  must  occur,  and  that  it  does  so  within  5  time  units 
of  the  approach,  because  there  is  only  one  event  leaving  location  qi .  Upon  entering 
52,  if  the  value  of  x  is  at  least  Z,  then  the  urgent  event  out  must  occur  right  away, 
otherwise  it  will  occur  exactly  3  time  units  after  the  approach.  □ 

Simple  timed  automata 

We  introduce  a  special  subclass  of  timed  safety  automata  called  simple  timed  automata 
(STAs).  These  are  sufficient  for  modeling  some  but  not  all  aspects  of  timed  safety 
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automata,  and  are  particularly  useful  for  analyzing  systems  which  do  not  depend 
on  the  eventuality  of  timed  events.  A  simple  timed  automaton  is  a  timed  safety 
automaton  with  no  urgent  events,  and  where  all  safety  invariants  are  trivial,  i.e. 
Inv{q)  =  IR”  for  all  q  &  Q-  These  automata  have  no  means  of  forcing  control  to  leave 
any  given  location,  and  therefore  cannot  model  events  which  are  guaranteed  to  occur. 
In  particular  they  cannot  express  bounded  liveness  properties  such  as  “y  =  5  within 
3  seconds”.  However  their  simplified  semantics  permits  faster  verification. 


3.3  Modeling  real-time  systems 

This  section  discusses  process  composition  using  timed  safety  automata,  and  how  we 
can  guarantee  non-Zenoness,  i.e.  ensuring  timed  safety  automata  do  not  represent 
systems  for  which  time  cannot  progress  without  bound. 

3.3.1  Process  composition 

Most  systems  consists  of  a  number  of  interacting  processes.  For  a  clear  and  com¬ 
pact  description,  each  component  can  be  represented  with  a  separate  timed  safety 
automaton,  and  their  parallel  execution  modeled  by  their  automaton  composition. 
For  simplicity,  we  interchangeably  use  the  term  real-time  process  to  refer  to  both  the 
process  being  modeled  and  its  timed  safety  automaton  representation. 

The  composition  operation  uses  interleaving  semantics,  with  synchronization  over 
shared  events.  Note  however  that  a  straightforward  language  semantics  of  a  real¬ 
time  process  is  not  compositional,  because  of  the  treatment  of  urgent  events,  whose 
enabling  conditions  depend  on  external  components. 

Given  two  real-time  processes  denoted  P'  —  {E',Q',Qi^n^C',T',Inv')  and  P"  = 
{E'',Q",Qinit,C",T",Inv*'),  with  disjoint  sets  of  clocks,  their  composition  is  defined 
by  the  real-time  process  P  =  (S,  Q,  Qmit,  C,  T,  Inv),  where 

•  S  =  E'  U  S" 


•  Q  =  Q'xQ" 
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•  Qinit  — ’  Qinit  ^  Qinit 

•  c  =  c'  u  c" 

•  T  consists  of  all  tuples  ((g^, qi),<7,  V’,  u,  ($2)  such  that  either 

-  c7  €  S'  and  a  0  S"  and  there  is  a  transition  cr,  a,  ^25  ^^5)  iu  T',  and 

^2  =  Q'L  or. 

-  (7  G  S"  and  (7  0  S'  and  there  is  a  transition  {</l,o,i^,a,q2,urg)  in  T",  and 
92  =  9i.  or, 

-  (7  G  S'  n  S"  and  there  are  transitions  (9i,<7,'0',a',9^,urp')  in  T',  and 
Wl,(7,‘fp",ci",q^2^urg'')  in  T"  such  that 

*  -ip  =  'll/  A  'ip",  and, 

*  la  =  la'  U  la",  Und, 

*  =  1  iff  either  urg'  =  1  or  urg"  =  1 

•  Inv{{q',(f'))  =  Inv'{q')  A  Inv"{q") 

3.3.2  Non-Zenoness 

A  machine  model  of  a  timed  system  is  non-Zeno  iff  every  finite  execution  can  be 
extended  to  an  divergent  infinite  one  [HNSY92].  A  timed  safety  automaton  Pi  is 
called  time  progressive  with  respect  to  a  set  of  processes  {P2, . . . ,  Pk}  iff  it  satisfies 
the  following  conditions: 

•  (immediate  progress):  every  control  location  q  has  either 

1.  no  upper  bound  in  its  safety  invariant,  i.e.  Inv{q)  includes  all  its  time 
successors,  or 

2.  for  every  x  G  Inv{q),  there  is  a  transition  labeled  a  leaving  location  q, 
such  that 

-  for  some  6,  x  +  6  satisfies  its  timing  enabling  condition,  and 
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-  the  transition  is  guaranteed  to  be  enabled  in  the  product  because  all 
other  processes  sharing  the  event  a  never  disable  a  regardless  of  which 
timed-states  they  are  in,  i.e.  for  every  i>2,if  a  e  Sj,  then  for  every 
control  location  q'  e  Qi  and  point  x'  there  is  an  outgoing  transition 
from  o'  labeled  a  satisfied  by  x'. 

•  (time-progressive  cycles):  for  every  cycle  of  transitions  in  P  there  is  a  positive 
constant  ^  >  0  such  that  it  is  impossible  to  traverse  the  cycle  without  at  least 
6  time  passing. 

Theorem  3.3  Given  a  set  of  real-time  processes  V  =  {Pi,  P2,  •  •  •  ?  if  &o.ch  Pi  is 
time  progressive  with  respect  toV\  Pi,  then  Pi  ||  P2  •  ||  Pk  is  non-Zeno. 

Proof:  We  show  that  every  finite  timed  run  can  be  extended  to  an  infinite  divergent 
one.  Consider  the  timed-state  s  =  (9,  £ )  at  the  end  of  the  finite  run.  We  extend  the 
run  inductively  as  follows. 

If  time  can  progress  without  bound  in  the  current  control  location,  we  are  done, 
since  we  can  repeatedly  take  events  8t  for  any  fixed  positive  t,  yielding  a  divergent 
run. 

Suppose  otherwise.  If  a  transition  is  enabled,  take  it,  leading  to  timed-state  Si. 
Otherwise,  we  may  add  a  time  passage  event  8t  until  a  transition  t  is  enabled.  The 
following  reasoning  shows  this  can  always  be  done.  By  the  immediate  progress  prop¬ 
erty,  for  every  i  >  1  for  which  Pfs  control  location  has  a  nontrivial  safety  invariant 
there  is  a  8i  such  that  a  transition  is  enabled  in  p  after  8i  time  units  and  the  safety 
invariant  in  p  still  holds.  Let  8t  be  the  smallest  such  8i.  Then  we  can  safely  add  8t 
time  units  to  the  global  state  without  violating  any  safety  invariants,  and  there  is  an 
event  enabled  at  {q,  x  -(-  8t).  After  adding  this  time  passage  event  to  the  run,  the 
transition  t  is  fired. 

Repeating  the  above  procedure  results  in  a  path  either  leading  to  a  control  location 
with  no  upper  bound  in  its  invariant,  or  a  path  involving  infinitely  many  labeled 
transitions.  The  first  case  obviously  gives  a  divergent  run,  and  in  the  second  case, 
the  run  must  pass  through  infinitely  many  cycles,  giving  a  divergent  run  because 
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each  cycle  takes  at  least  a  fixed  non-zero  number  of  time  units,  because  of  the  time- 
progressive  cycles  condition.  □ 

Finally,  we  note  that  simple  timed  automata  are  always  non- Zeno,  since  arbitrary 
amounts  of  time  may  pass  while  control  remains  in  any  fixed  location. 

Theorem  3.4  Simple  timed  automata  are  non-Zeno.  □ 

3.3.3  Example 

We  consider  a  simple  version  of  the  well-known  timed  mutual  exclusion  protocol  due 
to  Fischer.  A  similar  example  appears  in  [AL92,  SBM92]. 

This  is  an  n  process  algorithm,  where  each  process  uses  timing  constraints  on  its 
actions  to  ensure  mutual  exclusion.  Each  process  has  a  unique  process  identifier  i  and 
4  operating  states.  They  synchronize  their  actions  through  the  shared  variable  X. 
From  location  Qq  a  process  may  advance  to  location  qi  at  any  time  provided  X  has 
value  0.  It  may  delay  here  for  up  to  seconds  before  setting  the  value  of  X  to  i.  It 
simultaneously  advances  to  location  92,  from  which  it  may  enter  its  critical  section  as 
long  as  it  does  so  after  at  least  6c  seconds  and  the  value  of  X  is  still  i.  Upon  leaving 
its  critical  section,  it  reinitializes  A  to  0. 

The  timed  safety  automata  for  the  case  of  two  processes  are  given  in  figure  3.2. 
The  conditions  on  the  value  of  the  global  variable  X  are  maintained  by  the  special 
process  called  VARIABLE-X  whose  states  encode  the  current  value  of  the  global 
variable.  In  other  words,  if  this  process  is  at  control  location  q,  then  X  equals  i. 
Because  each  process  can  independently  read  and  write  the  value  of  the  variable  A, 
we  need  to  create  separate  events  for  each  process.  If  not,  the  events  could  only 
occur  when  they  were  synchronized  across  all  processes.  Thus  Process  I’s  alphabet 
has  events  startl  for  starting  the  protocol,  setXl  for  moving  from  state  qi  to  92  and 
setting  A  to  1,  enterl  for  entering  its  critical  section,  and  PlsetXO  for  leaving  its 
critical  section  and  reassigning  the  global  variable  x  to  0.  Whenever  a  process  has  an 
event  for  writing  the  value  of  A,  the  process  for  the  variable  A  shares  that  event,  and 
its  effect  in  VARIABLE-X  reflects  the  written  value.  Constraints  on  each  process’s 
behavior  are  expressed  by  disallowing  certain  process  events  when  the  value  of  A 
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startl  yi  <  Starts  ^2  <  As 


PlsetXO 


setXl 
y\  <  As 
y\  :=  0 


PSsetXO 


setX2 
2/2  <  As 
2/2  “  0 


enterl 
2/1  > 


enters 
2/2  > 


Process  1 


Process  2 


enterl 

setXl 


startl 

starts 

PlsetXO 

PSsetXO 


enters 

setXS 


VARIABLE-X 


Figure  3.2:  Automata  for  mutual  exclusion  protocol 


would  prohibit  it.  For  example,  the  lack  of  a  startl  action  out  of  locations  qi  and  92 
indicates  Process  1  cannot  start  the  protocol  if  X  equals  1  or  2. 

The  clock  yi  is  used  to  express  the  timing  conditions  on  transitions.  Notice  that 
the  safety  invariants  at  locations  qi  of  each  contending  process  force  the  process  to 
proceed  to  the  next  step  of  the  algorithm:  it  cannot  delay  in  qi  forever.  However, 
there  is  no  similar  invariant  forcing  a  process  to  eventually  enter  its  critical  section 
in  location  q^. 
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X  =  0 
Vi  ~  0 


Vi  <  Ab 


X  :=0 


X  :=i 
Vi  <  Ab 
Vi  ■■=  0 


Vi  ^ 


Process  i 

Figure  3.3:  Real-time  process  i  for  mutual  exclusion  protocol 
Non-Zenoness 

The  composed  system  is  non- Zeno  since  each  process  Pi  satisfies  both  the  immediate 
progress  property  (since  the  safety  invariant  at  qi  implies  the  enabling  constraint  on 
the  event  leaving  ^i)  and  the  time-progressive  cycles  condition  (since  at  least  Ab 
time  units  pass  on  each  cycle  through  Pi).  Thus  by  theorem  3.3  their  composition  is 
non- Zeno. 


Graphical  shorthand 

For  simplicity  and  clarity  of  exposition,  we  allow  an  abbreviated  automaton  represen¬ 
tation  which  handles  discrete- valued  variables  over  finite  domains.  We  write  X  :=  k 
within  a  process  P  to  mean  that  it  executes  a  write  event  of  the  variable  X,  assigning 
it  the  value  k.  It  is  understood  that  the  process  for  the  variable  X  will  include  tran¬ 
sitions  modeling  the  effect  of  the  P’s  write  event.  Similarly,  read  events  may  appear 
as  X  =  A:  in  a  process,  with  the  corresponding  event  enabled  in  the  process  for  X 
from  the  location  for  value  k.  In  this  case  the  automaton  model  for  the  variable  X 
need  not  be  explicitly  shown. 
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For  example,  an  automaton  for  the  i-th  process  in  the  Fischer’s  mutual  exclusion 
algorithm  appears  in  figure  3.3.  By  convention,  variables  are  written  in  upper  case 
to  help  distinguish  them  from  clocks. 


3.4  Safety  verification 

A  methodology  for  verifying  timed  safety  properties  of  a  non- Zeno  real-time  system 
is  the  following: 

1.  Describe  the  real-time  system  to  be  verified  as  a  non- Zeno  timed  safety  automata 
A. 

2.  Describe  the  complement  of  the  specification  as  a  timed  automaton  D  with 
a  specially  marked  violation  state,  i.e.  all  violating  traces  have  a  run  in  the 
automaton  leading  to  its  violation  state. 

3.  Form  the  product  G  of  D  and  A. 

4.  Test  whether  the  violating  state  in  D  is  reachable  in  G. 

This  procedure  is  equivalent  to  checking  for  emptiness  of  the  language  L(A)  n 
L{Spec).  In  many  instances,  the  automaton  for  the  complemented  specification  may 
be  obtained  by  first  constructing  a  deterministic  timed  safety  automaton  for  the 
specification,  then  taking  its  completion.  The  idea  behind  the  completion  automa¬ 
ton  is  that  every  trace  not  in  the  specification  induces  a  run  leading  to  the  violating 
state.  Because  a  violation  corresponding  to  time  exceeding  a  safety  invariant  is  not  de¬ 
tectable  as  a  labeled  event,  we  need  to  add  a  new  event  a  to  signal  this  has  happened. 
The  completion  compl{A)  of  the  automaton  A  is  a  timed  automaton  with  a  specially 
marked  trap  state  which  has  incoming  edges  for  every  potential  transition  not  enabled 
in  A,  including  those  which  correspond  to  allowing  time  to  pass  beyond  any  safety 
invariants.  Let  W{q,G)  =  Inv{q)  n  U{0'  |  3g',a'  such  that  {q,a,4>',a',^)  e  T}  be 
the  set  of  points  within  q^s  safety  invariant  for  which  q  has  an  enabled  transition 
labeled  a.  The  action  a  m  is  the  null  reset  action.  A  constraint  is  maximal  in  a  set  Y 
iff  it  is  contained  in  Y  and  not  contained  in  any  other  enabling  constraint  within  Y. 
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The  definition  uses  maximal  sets  because  the  direct  complements  are  not  time  zones, 
and  so  are  not  permissible  as  timing  constraints  on  transitions.  The  completion  of 
deterministic  automaton  A  is  defined  as  compl{A)  =  {'E',Q',Qinit,C,T',Inv')  where 

•  S'  =  S  U  {a},  where  the  event  a  ^  S  signifies  time  has  exceeded  a  location’s 
safety  invariant. 

•  Q'  =  Q\j  {q.aioi},  where  q^ioi  is  a  special  violation  state. 

•  Inv'{q)  =  H"  for  all  control  locations  q  e  Q'. 

•  T'  =  To  U  Ti  U  T2  U  T3,  where 

-  Tq  =  {{q,a,4>',a,q')  \  {q,a,(f),a,(f)  €  T  and  (p'  =  (pD  Inv{q)},  represent¬ 
ing  transitions  in  A  with  the  implicit  constraint  that  safety  invariants  be 
satisfied  made  explicit, 

-T^  =  {(g,  <T,  a  n>,  q^ioi)  I  <P  is  maximal  in  W {q,  (t)},  representing  all  events 
for  which  A  has  no  transition. 

-  T2  =  {{q,a,<p,am,qvioi)  \  <P  Q  Inv{q),  and  <p  is  maximal  in  Inv{q)],  repre¬ 
senting  events  which  may  occur  when  the  safety  invariant  at  q  does  not 
hold. 

T3  ~  "{gtiio/j  TRUE^  Q,  q.),iQij^ 

Example  3.5  Figure  3.4  shows  a  deterministic  automaton  A  and  its  completion. 
The  alphabet  of  A  is  S  =  {0,6}.  The  safety  invariant  on  location  go  is  removed. 
In  order  to  correctly  constrain  the  event  a  leading  to  location  q\  the  conjunct  x  <  5 
is  added  to  its  enabling  condition.  If  a  b  event  ever  occurs  in  location  go  it  is  a 
violation.  Furthermore  any  event  occurring  beyond  go’s  safety  invariant  indicates 
that  no  outgoing  event  has  taken  place  in  timely  fashion,  and  again  control  enters  the 
q.„ioi  state.  Strictly  speaking,  the  enabling  condition  x  is  syntactically  illegal  since 
it  does  not  represent  a  time  zone,  but  we  use  it  as  shorthand  for  two  transitions  for 
b,  one  enabled  when  x  <3  and  one  when  x  >  Z.  □ 
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Figure  3.4:  Automaton  completion 

The  projection  of  a  timed  trace  e  over  S  onto  a  subalphabet  E'  C  E  is  denoted 
proj{E'){e)  and  is  defined  as  the  trace  obtained  by  deleting  all  events  in  E  \  E'  from 
e. 

Proposition  3.6  Given  a  deterministic  timed  safety  automaton  A,  a  timed  trace  r 
is  not  in  L{A)  iff  there  exists  a  trace  r'  such  that  proj(E)(r')  =  r  and  compl(A)’s 
run  for  r'  enters  the  trap  state. 

Proof:  (Sketch)  Since  A  is  deterministic,  by  construction  so  is  compl{A).  Furthermore 
compl{A)  has  a  run  for  every  timed  trace  over  E. 

If  the  timed  trace  r  is  not  in  L{A)^  then  there  must  be  some  point  at  which 
either  time  passes  beyond  the  current  safety  invariant  or  an  event  occurs  for  which 
there  is  no  enabled  transition  in  A.  We  show  that  both  cases  cause  compl{Ays  run 
to  enter  the  violation  state  for  a  trace  whose  projection  is  r.  In  the  first  case,  the 
safety  invariant  in  A  is  violated.  If  this  happens  after  i  events  in  r,  then  compl{A) 
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b  CL 


Figure  3.5:  Bounded  liveness  specification 

can  mimic  A  over  the  first  i  events  of  r  using  transitions  in  To,  take  a  transition  in 
T2  via  the  added  event  a  to  the  violation  location,  then  follow  transitions  in  T3  for 
the  remainder  of  r.  In  the  second  case,  an  illegal  labeled  transition  occurs  in  A.  If 
this  happens  at  the  i-th  event  in  r,  then  compl{A)  can  mimic  A  over  the  first  i  —  1 
events  of  r  using  transitions  in  To,  take  a  transition  in  Ti  to  the  trap  location,  then 
follow  transitions  in  T3  for  the  remainder  of  r.  In  both  cases,  it  is  easy  to  see  that 
compl{Ays  trace  r*  projects  onto  r. 

The  reverse  direction  of  the  equivalence  is  similar  and  omitted.  □ 

We  note  that  for  the  purposes  of  safety  verification  the  self-loops  on  the  violation 
location  can  be  dropped.  This  is  because  it  is  not  necessary  to  continue  the  run  for 
a  trace  not  in  L{A)  once  it  is  known  that  compl{A)  has  a  corresponding  run  to  the 
location. 


Example  3.7  Bounded  liveness  is  a  common  form  of  specification  property.  Fig¬ 
ure  3.5  shows  how  an  automaton  can  specify  the  property  “every  a  event  is  followed 
by  a  b  event  within  5  time  units.  ”  □ 

Example  3.8  Fischer  mutual  exclusion:  The  automata  of  the  processes  in  the  Fis¬ 
cher  mutual  exclusion  algorithm  were  given  in  figure  3.2.  We  verify  the  untimed 
safety  property  that  no  two  processes  are  ever  in  their  critical  sections  at  the  same 
time.  This  property  is  expressed  by  the  automaton  of  figure  3.6.  As  an  alternative, 
we  observe  that  if  all  the  processes  are  symmetric,  we  can  test  for  the  error  condition 
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P2setX0 
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P2setX0 


enter  1 ,  enter2 


Figure  3.6:  Mutual  exclusion  specification 


PlsetXO 

enterl 
PlsetXO 

Figure  3.7:  Mutual  exclusion  specification 

resulting  from  Process  1  entering  its  critical  section,  followed  by  Process  2  entering 
its  critical  section,  as  shown  in  figure  3. 7.  □ 

3.4.1  Decidability 

This  section  is  a  restatement  of  results  by  Alur,  Courcoubetis,  and  Dill  [ACD90, 
AD90],  who  show  that  the  state-space  of  an  timed  automaton  can  be  divided  into  a 
finite  number  of  equivalence  classes  sulRcient  for  deciding  whether  a  particular  control 
location  is  reachable.  We  briefly  describe  the  equivalence  relation,  which  gives  a 
bisimulation  over  the  transition  system  induced  by  a  timed  automaton.  It  essentially 
distinguishs  the  critical  integral  values  of  the  clocks  and  the  ordering  of  their  fractional 
parts.  We  assume  that  every  clock  appears  in  some  enabling  condition,  and  define  Ki 
to  be  the  largest  constant  which  clock  Xi  is  ever  compared  to.  For  any  r  €  IR,  let  [rj 
denote  the  integral  part  of  r  and  fract{r)  the  fractional  part,  i.e.  fract{r)  =  r  —  [rJ. 
We  first  define  the  equivalence  relation  on  n- vectors  as  x  ^ad  if  s-iid  only  if 
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Figure  3.8:  Detailed  Alur-Dill  regions 


1.  Vi  =  l..n,  if  Xi  <  Ki  or  x[  <  Ki  then 

(a)  [xi\  = 

(b)  fract{xi)  =  0  iff  fract{x\)  =  0 

2.  Vi,  j  =  l..n,  if  Xi  <  Ki  and  Xj  <  Kj,  then 

fract{Xi)  <  fract{xj)  iff  fract{x[)  <  fract{x'j) 

We  extend  this  equivalence  relation  from  points  in  IR”  to  timed-states  as  follows: 
{q,  x)  ^ad  W,  S')  iff  S  ^ad  S'  and  q  —  The  equivalence  classes  are  called 
detailed  regions. 

Example  3.9  The  detailed  regions  induced  by  the  two  clocks  Xi  and  xi  with  Ki  =  2 
and  K2  =  I  are  all  the  intersection  points,  open  line  segments,  and  open  faces  in 
figure  3.8.  171 

The  following  three  theorems  are  due  to  Alur  and  Dill. 

Theorem  3.10  For  a  timed  safety  automaton  A,  the  number  of  equivalence  classes 
of  the  relation  ^ad  is  C>(|<5|  •  1(7]!  •  +  2)).  □ 

A  relation  «  is  said  to  be  a  labeled  bisimulation  over  a  set  of  timed-states  with 
respect  to  the  relations  No-  and  Ng,  given  in  subsection  3.2.3,  iff  for  all  Si,  52,  ~  sa 

implies 
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1.  for  all  if  Ns{si,s[)  then  there  exists  a  timed-state  $2  such  that  Ns{s2,S2) 
and  s'l  ~  $2. 

2.  for  all  a,  for  all  si,  if  N^{si,  s'l)  then  there  exists  a  timed-state  $2  such  that 
No-(s2,S2)  and  s'l  «  s^. 

Theorem  3.11  The  relation  is  a  labeled  bisimulation  over  the  timed-states.  □ 

A  reachability  analysis  can  be  performed  over  the  equivalence  classes,  instead  of 
over  the  individual  timed-states.  We  construct  a  set-graph,  a  graph  whose  nodes  are 
sets  of  states.  There  is  an  edge  in  the  set-graph  from  set  A  to  set  B  whenever  there 
exists  an  edge  in  the  underlying  transition  system  from  some  state  a  G  A  to  some 
state  b  e  B.  The  nodes  of  the  set-graph  are  the  detailed  regions,  and  because  these 
form  a  bisimulation,  a  class  is  reachable  in  the  set-graph  iff  some  element  of  it  is 
reachable  in  the  underlying  timed  transition  system. 

Theorem  3.12  The  timed  safety  verification  problem  is  decidable.  □ 

We  note  however  that  the  problem  is  PSPACE-complete.  It  is  exponential  both  in 
the  number  of  clocks  and  the  size  of  the  timing  constants.  Reachability  over  modular 
untimed  systems  is  already  a  hard  problem.  But  the  addition  of  timing  information 
is  comparable  to  adding  extra  processes,  and  makes  real-time  verification  in  practice 
much  harder  than  analyzing  untimed  systems.  This  difficulty  motivated  the  search 
for  effective  heuristics  for  timing  verification  to  be  viable  on  real  examples. 


Chapter  4 

Verifying  Real-Time  Systems  — 
Part  I 


4.1  Introduction 


The  approximation  algorithm  can  be  applied  to  real-time  systems  represented  by 
timed  safety  automata.  The  first  four  sections  of  this  chapter  show  how  to  perform 
forward  and  backward  symbolic  reachability  on  timed  automata.  Sets  of  timed  states 
are  symbolically  represented  using  rounded  regions.  We  define  these  sets  of  states  in 
section  4.4  and  review  a  description  of  an  efficient  data-structure  for  them,  differ¬ 
ence  bounds  matrices  due  to  DUl  [Dil89].  We  show  how  to  perform  the  successor, 
predecessor,  and  intersection  operations. 

The  rest  of  the  chapter  describes  how  approximation  is  applied  to  verify  real¬ 
time  systems.  It  provides  the  approximating  operators,  discusses  termination,  and 
demonstrates  the  algorithm  over  toy  examples. 

In  this  chapter,  we  describe  approximations  over  the  timing  component  only  of 
the  state-space.  We  delay  until  the  next  chapter  a  discussion  of  how  approxima¬ 
tions  can  be  performed  simultaneously  over  both  the  control  information  and  timing 
information. 
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Symbolic  representation  of  timing  information 

We  use  the  rounded  regions  of  an  automaton  as  the  domain  of  approximating  sets. 
Recall  that  the  states  of  a  real-time  system  are  pairs  of  the  form  {q,  x),  where  q  is 
a  TSA  location  and  x  is  a  vector  of  clock  values.  In  this  chapter  we  consider  only 
sets  of  states  which  share  the  same  control  location,  namely  sets  of  the  form  {q,  Z) 
where  is  a  rounded  (time)  zone.  The  algorithm  for  approximating  reachable  states 
is  obtained  in  a  straightforward  way,  except  for  two  considerations,  namely  rounding 
(to  ensure  the  algorithm  terminates)  and  the  use  of  a  disjunctive  next-state  relation 
(to  ensure  that  each  next-state  computation  is  closed  for  the  approximating  sets). 


4.2  Time  zones  and  bounds 

Successful  symbolic  verification  of  real-time  systems  depends  on  effective  manipula¬ 
tion  of  sets  of  timed  states.  The  rounded  zones  we  use  in  our  approximating  sets  are  a 
subclass  of  time  zones.  Time  zones  have  an  eflicient  representation  due  to  Dill  [Dil89] 
called  difference  bounds  matrices  (DBMs).  Difference  bounds  matrices  have  a  canoni¬ 
cal  form  for  which  there  are  O(n^)  algorithms  for  finding  intersections,  time  successors, 
time  predecessors,  images  and  preimages  of  events  [Dil89,  ACD'''92,  Rok93],  where  n 
is  the  number  of  clocks  in  the  systems. 

Recall  that  a  time  zone  Z  €  2’(n)  is  a  (possibly  unbounded)  polyhedron  defined  by 
integer  constraints  on  clocks  and  clock  differences.  If  we  identify  a  new  fictitious  clock 
variable  xq  with  the  constant  value  0,  these  constraints  can  be  represented  uniformly 
as  bounds  on  the  difference  between  two  clock  values.  For  instance,  x  >  5  can  be 
expressed  as  x  —  Xq  >5.  Furthermore  we  can  restrict  attention  to  upper  bounds 
without  loss  of  generality.  More  precisely,  each  inequality  can  be  re-expressed  in  one 
of  the  following  forms: 

Xj  -  Xj  <  k  or  Xi  -  Xj  <  k,  for  some  integer  k, 

To  describe  these  inequalities  in  a  uniform  fashion  we  introduce  the  domain  of 
bounds.  Let  Z~  =  {. . .  —  3“,  — 2~,  — 1“,  0“,  1“,  2~, . . .}  where  n~  represents  a  value 
“infinitesimally  different  from  n”.  A  bound  is  any  element  of  Z  U  Z~  U  {— oo, oo}. 
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Each  bound  is  intended  to  represent  an  upper  bound  on  a  real  value.  We  take  both 
“x  <  n“”  and  “x  <  to  mean  “x  <  n"  and  similarly  “a;  >  n“”  and  “a;  > 
stand  for  “a:  >  n”.  We  define  an  ordering  -<  on  bounds  as  the  smallest  ordering 
induced  by  the  usual  ordering  over  Z  U  {-oo,  00}  and  n  -  1  -<  n"  -<  n.  The  relation 
-<  is  defined  over  bounds  as  fei  :<  62  iff  ^  ^>2  or  61  =  &2- 

Bounds  can  be  added,  with  the  exception  that  —00  cannot  be  added  to  00.  Bounds 
in  Z  and  Z“  are  finite,  and  the  value  of  the  bounds  n  and  n~,  denoted  v{n)  and  v{n~) 
respectively,  is  n.  The  result  of  computing  b  +  b'  is 


'  {v{b)+v{b')) 
{v{b)  + 

—  OO 

00 


if  b  and  b'  are  in  Z 

if  b  and  b'  are  both  finite,  and  at  least  one  is  in  Z 

if  6  or  6'  is  —  00 

otherwise 


4.3  Difference  bounds  matrices 

A  difference  bounds  matrix  (DBM)  for  IR’^  is  an  (n  +  1)  x  (n  +  1)  matrix  of  bounds, 
with  rows  and  columns  indexed  from  0  to  n.  The  DBM  A  with  entries  0,^  represents 
the  polyhedron  consisting  of  all  points  that  satisfy  the  inequalities  Xi  —  Xj  <  Uij  for 
each  i  and  j.  Clearly  every  time  zone  can  be  described  by  a  DBM.  However  there 
are  many  DBMs  defining  the  same  zone,  because  some  of  the  upper  bounds  need  not 
be  tight.  For  example,  the  time  zone  Z  in  figure  4.1  represented  by  the  system  of 
inequalities 


Xi 

< 

2 

Xi 

> 

1 

X2 

< 

5 

can  be  represented  by  any  matrix 
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Figure  4.1:  Time  zone  Z 


0-10 
2-  0  6i 

5  62  0 

where  bi  2“  and  &2  7^  4. 


4.3.1  Canonical  form  for  DBMs 

The  key  idea  in  performing  operations  on  zones  is  to  represent  them  as  canonical 
DBMs.  A  constraint  Xi  —  Xj  <  b  is  said  to  be  tight  for  a  time  zone  Z  iif  there  is 
no  bound  b'  ^  b  such  that  all  of  Z  satisfies  Xi  -  Xj  <  b'.  The  canonical  matrix, 
denoted  cI{Z),  has  all  entries  representing  tight  constraints.  Dill  [Dil89]  showed  that 
this  matrix  can  be  computed  from  an  arbitrary  matrix  for  Z  by  applying  an  all-pairs 
shortest  path  algorithm.  This  representation  therefore  leads  to  easy  tests  for  equality 
and  emptiness  of  time  zones. 
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procedure  time^uccessors(A,5) 

input  DBM  A]  /*  DBM  for  Z  */ 

output  DBM  B]  /*  DBM  for  time  successors  */ 

B  :=A; 

for  i  :=  1  to  n  do 
B[z][0]  :=  oo; 
endfor 

Figure  4.2:  Pseudocode  for  finding  time  successors 

4.3.2  Operations  on  time  zones 

We  demonstrate  how  operations  on  time  zones  can  be  computed  over  their  DBM 
representations. 

Intersection 

The  intersection  of  two  time  zones  Z  and  Z'  is  a  time  zone.  It  can  be  computed  from 
their  DBMs.  Intuitively  we  take  the  conjunction  of  all  the  inequalities  for  both  zones 
by  taking  the  lower  of  the  two  bounds  for  each  pair  of  clock  differences.  Let  A  and 
A!  be  DBMs  for  Z  and  Z'.  The  zone  Z  O  Z'  \s  represented  by  the  matrix  B  where 
for  all  i  and  j,  bij  =  min{aij,a'i-},  where  the  minimum  min  of  two  bounds  is  defined 
using  the  ordering  -<  over  bounds. 

Time  successors 

The  set  of  time-successors  Z /  ol  the  time-zone  Z  is  obtained  from  Z  by  removing 
all  inequalities  of  the  form  x  <  A:  or  x  <  A:,  since  these  upper  bounds  restrict  time 
passing  indefinitely.  The  pseudo-code  of  figure  4.2  describes  how  this  operation  can 
be  performed  on  a  canonical  DBM.  The  result  is  a  canonical  DBM  for  Z/. 
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procedure  reset{A,Ia^B) 

input  DBM  A,  reset  /*  DBM  for  Z,  reset  index  set  la  */ 
output  DBM  B-,  /*  DBM  for  o(Z)  */ 

B  :=A-, 
for  Xi  G  la  do 

/*  disregard  constraints  involving  clock  Xi  */ 
for  j  :=  1  to  n  do 
B[i\[j]  :=oo; 

B[j][i\  :=oo; 
endfor 

/*  enforce  clock  reset,  ie.  x,  =  0  */ 

B[i][0]  :=0; 

5[0][2]  :=0; 

endfor 


Figure  4.3:  Pseudocode  for  computing  resets 


Time  predecessors 

Similar  to  the  computation  of  time  successors,  we  may  replace  all  lower  bounds  on 
clocks  with  0.  However  in  this  case,  canonical  input  does  not  in  general  imply  the 
output  will  be  canonical. 


Reset  actions 

In  order  to  find  the  set  of  timed  successors  under  an  instantaneous  transition,  we 
need  to  compute  the  image  of  the  transition’s  reset  action.  Let  o  be  a  reset  action 
with  corresponding  index  set  la-  Then  a{Z)  is  the  projection  of  Z  onto  the  axes  for 
variables  in  la-  It  can  be  found  by  first  ignoring  all  constraints  on  variables  in 
and  then  taking  the  subset  for  which  all  variables  in  la  equal  0.  Pseudo-code  for  this 
operation  appears  in  figure  4.3. 
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Inverse  images  of  reset  actions 

We  also  need  to  compute  the  inverse  image  of  the  transition’s  reset  action.  Let  a  be 
a  reset  action  with  corresponding  index  set  la-  The  set  a~^{Z)  consists  of  all  timer 
vectors  x  such  that  a{x)  €:  Z.  It  is  the  union  \Jy^z{x  \  a{x)  =  y}  which  is  the 
same  as  yJy^zr\zA^  I  where  Za  is  the  zone  where  all  clocks  in  are 

equal  to  0.  In  other  words,  it  is  the  set  of  all  clock  vectors  x  for  which  there  exists 
a  vector  y  e  Z  d  Za  which  agrees  over  all  clock  variables  not  in 

Thus  the  inverse  a"^(Z)  is  computed  by  first  finding  the  possible  image  of  a  within 
Z  (this  is  done  by  setting  to  0  the  bounds  on  the  absolute  value  of  each  clock  in  la 
and  canonicalizing),  and  then  taking  the  inverse  projection  of  the  reset  variables  (by 
making  all  bounds  relating  to  clocks  in  trivial). 

4.4  Rounded  time  zones 

This  section  explains  why  using  arbitrary  time  zones  would  not  guarantee  termination 
in  reachability  algorithms.  We  then  define  a  restricted  form  of  time  zone  called  the 
rounded  time  zone,  which  is  used  in  our  approximating  sets. 

Decidability  of  the  timed  safety  verification  problem  follows  from  the  finiteness  of 
the  Alur-Dill  equivalence  relation.  A  naive  verification  algorithm  could  explicitly  enu¬ 
merate  all  the  reachable  equivalence  classes.  A  more  practical  algorithm  may  choose 
to  use  symbolic  enumeration,  by  considering  sets  of  equivalence  classes  at  a  time. 
Time  zones  are  a  natural  candidate  for  a  symbolic  representation  of  sets,  because 
operations  on  them  can  be  performed  efficiently.  If  the  time  zones  encountered  by  an 
algorithm  were  always  Alur-Dill  equivalence  classes,  or  the  exact  union  of  classes,  the 
algorithm  would  terminate.  This,  however,  is  not  always  the  case.  Consider  a  simple 
set-reachability  algorithm  that  generates  a  set-graph  where  each  node  is  a  time  zone, 
and  every  successor  set  of  every  node  also  appears  in  the  graph.  Such  a  graph  can 
be  generated  using  a  simple  reachability  algorithm  as  in  figure  4.4.  The  algorithm 
will  terminate  if  and  only  if  the  cardinality  of  {N’‘{So)  |  k  >  0}  is  finite.  However  for 
timed  systems,  the  algorithm  may  generate  time  zones  with  successively  larger  finite 
bounds. 
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procedure  set-reachability 

input  {S,So,N);  /*  a  transition  system  */ 

output  G;  /*  a  set-graph  as  described  above  */ 

vertices (G)  :=  {}; 
edges(G)  :=  {} 
initial(G)  :=  {S'o}; 
stack  :=  emptystack; 
push(S'o,  stack); 
while  (not  empty(stack))  do 
A  :=  pop(stack); 

B  :=  NiA); 
if  {B  7^  {})  then 
if  {B  ^  vertices(G))  then 

vertices(G)  :=  vertices(G)  U  B; 
push(S,  stack); 
endif 

edges(G)  :=  edges(G)  U  {A,B)-, 
endif 
endwhile 


Figure  4.4:  Set  reachability  algorithm 

Example  4.1  The  set-reachability  algorithm  applied  as  above  to  the  two-state  au¬ 
tomaton  Ai  in  figure  ^.5  would  not  terminate.  The  algorithm  would  successively 
generate  sets  with  points  (z,  0)  after  each  self-loop  on  qq.  The  reachable  time  zones 
for  go  are  shown  in  the  figure.  □ 

One  way  to  use  symbolic  representations  of  timed  states  and  still  maintain  termi¬ 
nation  properties  is  to  replace  each  time  zone  generated  with  the  set  of  Alur-Dill  equiv¬ 
alence  classes  that  it  intersects.  The  problem  with  this  strategy  is  two-fold:  firstly, 
finding  the  set  of  intersecting  equivalence  classes  may  be  expensive,  and  secondly,  the 
classes  may  not  be  representable  by  a  small  number  of  time  zones.  For  instancOj  in 
a  3-clock  automaton  with  Ki  =  1,  K2  =  2,  and  Kz  =  3,  the  classes  intersecting  the 
time  successors  of  the  singleton  time  zone  consisting  of  the  origin  require  at  least  3 
time  zones  to  be  represented,  e.g.  (xi  =  X2  =  xz  <  1),  {I  <  Xi  /\  1  <  xz  =  Xz  <  2), 
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y  =  l 
a 


Figure  4.5:  Automaton  Ai,  causes  nontermination  without  rounding 
and  (1  <  xi  A  2  <  ^2  A  2  <  xz). 

The  approach  we  take  is  to  use  rounded  time  zones  instead.  Rather  than  replacing 
a  time  zone  Z  with  the  union  of  all  the  classes  it  intersects,  we  round  it  off  by  adding 
some  but  not  necessarily  all  states  which  lie  within  the  union.  Such  rounding  preserves 
the  correctness  of  the  algorithm.  The  potential  disadvantage  of  this  approach  is  that 
there  are  more  rounded  time  zones  than  zones.  The  advantages  are  that  the  rounded 
time  zone  is  easy  to  compute,  and  the  result  is  by  definition  a  single  time  zone,  rather 
than  a  union  of  separate  time  zones.  We  will  see  that  for  the  example  above,  the 
rounded  zone  for  the  time  successors  is  the  zone  of  time  successors  itself. 


4.4.1  Rounded  time  zones 

In  this  subsection  we  define  the  rounding  operation  on  zones.  Since  there  are  only 
finitely  many  rounded  time  zones,  symbolic  analysis  over  rounded  time  zones  is  guar¬ 
anteed  to  terminate.  We  first  provide  an  equivalent  definition  of  the  Alur-Dill  parti¬ 
tioning  relation  in  terms  of  the  constraints.  Equivalence  classes  are  determined 
by  a  set  of  primary  constraints  which  are  always  applied,  and  also  secondary  con¬ 
straints,  only  some  of  which  may  be  relevant  depending  on  which  particular  primary 
constraints  are  satisfied.  We  then  show  how  to  refine  this  relation  into  constraint 
zones,  where  both  primary  and  secondary  constraints  are  always  relevant.  Rounded 
time  zones  are  defined  to  be  time  zones  which  are  the  exact  union  of  constraint  zones. 
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Alternative  definition  for  Alur-Dill  classes 

We  now  give  an  equivalent  definition  for  ~a£>-  We  say  x  x'  iff 

1.  they  satisfy  the  exact  same  subset  of  primary  constraints,  of  the  form: 

Xi  <k,Xi<  k,  Xi  >k,Xi>  k,  where  Xi  is  a  clock  and  k  <  Ki  is  an  integer 
constant 


and, 

2.  if  they  satisfy  any  of  the  above  constraints  of  the  form  x  <  k  ox  x  <  k  for  both 
Xi  and  Xj,  then  they  also  satisfy  the  exact  same  subset  of  secondary  constraints, 
of  the  form: 


Xi  —  Xj  <  k,  Xi  —  Xj  <  k,  where  Xi  and  Xj  are  clocks  and  —Kj  <  k  <  Ki  is 
an  integer  constant. 

Proposition  4.2  The  equivalence  relations  o-'^d  ^ad  o-Te  the  same,  i.e.  x 
iff  X  ^ad  x'. 

Proof:  The  first  set  of  constraints  in  the  definition  of  determines  whether  Xi  is 
less  than  or  equal  to  Ki,  and  if  so  its  exact  integral  part,  and  whether  its  fractional 
part  is  equal  to  zero.  Thus  if  x  and  x'  satisfy  the  same  set  of  constraints,  then  they 
also  share  the  same  integral  parts,  and  both  are  either  exact  integers  or  not. 

We  claim  the  second  set  of  constraints  is  sufficient  to  determine  the  relative  order¬ 
ing  of  the  fractional  parts  of  two  clocks,  whenever  both  clocks  are  sufficiently  small. 
Suppose  Xi  <  Ki  and  Xj  <  Kj.  Then  —Kj  <  Xi  —  Xj  <  K,  since  clock  values 
are  always  positive.  Now  observe  the  condition  of  the  Alur-Dill  equivalence  can  be 
reexpressed  in  terms  of  the  constraints. 

•  fract{xi)  <  fract{xj)  iff  Xi  —  Xj  <  —  [xyj. 

Each  of  these  two  conditions  is  determined  by  the  constraint  sets  of  the  definition  of 
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Figure  4.6:  Constraint  zones 


Constraint  zones 

We  define  a  third  equivalence,  which  partitions  the  timer-valuations  into  constraint 
zones.  These  constraint  zones  are  finer  than  the  regions  obtained  from  the  above 
definition,  and  are  used  in  describing  rounded  reQions.  ^A^e  say  ss  *~^cz  ^  '  iff  they 
satisfy  the  exact  same  subset  of  legal  constraints,  of  the  form: 

•  Xi  <  k,  Xi  <  k,  Xi  >  k,  Xi  >  k,  where  Xi  is  a  clock  and  A:  <  Kj  is  an  integer 
constant. 


•  Xi  —  Xj  <  k,  Xi  —  Xj  <  k,  where  Xi  and  Xj  are  clocks  and  —Kj<k<Ki  is  an 
integer  constant. 

The  legal  constraints  are  precisely  the  primary  and  secondary  constraints  used  in 
defining  the  relation  Observe  that  in  contrast  to  the  secondary  constraints 
are  always  used  in  partitioning  classes,  regardless  of  which  primary  constraints  hold. 
Notice  that  if  we  define  Xo  =  0  for  the  fictitious  clock  xq  whose  value  is  always  0, 
then  all  legal  constraints  are  of  the  form 

•  Xi  -  Xj  <  b,  where  Xi  and  Xj  are  clocks  and  6  is  a  bound  value  such  that 
-Kj  <b<Ki. 
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The  constraint  zones  induced  by  the  two  clocks  Xi  with  Ki  =  2  and  X2  with 
K2  =  1  are  shown  in  figure  4.6.  Pictorially  the  difference  between  these  regions  and 
the  Alur-Dill  regions  (see  figure  3.8)  is  the  extension  of  the  diagonals  for  the  secondary 
difference  constraints. 

Proposition  4.3  The  relation  «cz  refines  the  relation  □ 

Let  a  rounded  zone  be  any  time  zone  which  is  the  union  of  constraint  zones. 

Proposition  4.4  Rounded  zones  are  closed  under  intersection. 

Proof:  Clearly  the  intersection  of  rounded  zones  is  a  time  zone,  so  we  need  only  show 
that  it  is  the  union  of  constraint  zones.  Constraint  zones  are  disjoint,  so  since  every 
rounded  zone  is  the  union  of  constraint  zones,  so  must  be  its  intersection.  □ 

We  define  the  function  round  to  map  any  time  zone  to  the  intersection  of  all 
rounded  zones  which  include  it,  i.e. 

round{Z)  =  r\{2'\  Z  C  Z'  and  Z'  is  a  rounded  zone} 

Corollary  4.5  For  any  time  zone  Z ,  round(Z)  is  a  rounded  zone.  □ 

Lemma  4.6  A  time  zone  Z  is  a  rounded  zone  iff  it  is  definable  as  the  conjunction 
of  a  set  of  legal  constraints,  i.e.  there  exists  a  set  of  legal  constraints  0  such  that 
Z  —  {x  \  X  satisfies  every  constraint  in  ©}. 

Proof:  if:  Let  Z  be  defined  by  the  set  of  legal  constraints  0.  We  show  how  Z  can  be 
partitioned  into  constraint  zones.  Each  legal  constraint  Xi  —  Xj  <  b  is  equivalent  to 
the  disjunction  of  legal  constraints,  b"  <  x,  —  Xj  <  b'  for  each  bound  b'  <  b,  where  b" 
is  the  nearest  bound  strictly  lower  than  b',  provided  b"  <  xj  —  a;t  is  a  legal  constraint, 
and  —00  otherwise.  Taking  the  conjunction  of  the  disjuncts  for  each  constraint  in  0 
defines  Z  in  such  a  way  that  each  product  term  defines  a  constraint  zone. 

only  if:  Let  be  a  rounded  zone.  Then  consider  for  each  pair  x,-,  Xj,  the  set 
of  all  maximal  bounds  appearing  in  constraints  Xi  —  Xj  <  b  used  in  tightly  defining 
each  of  the  constraint  zones  contained  in  Z.  Each  of  these  bounds  corresponds  to  a 
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legal  constraint.  Let  Z'  be  the  time  zone  defined  by  this  set  of  legal  constraints.  We 
establish  that  Z  is  exactly  Z'. 

The  zone  Z'  contains  Z  since  its  defining  bounds  are  all  greater  that  those  ap¬ 
pearing  in  the  constraints  defining  each  constraint  zone  in  Z.  Furthermore  all  bounds 
are  tight.  They  cannot  be  lowered  or  else  some  points  in  Z  would  be  excluded.  Thus 
Z'  is  the  smallest  time  zone  containing  Z,  and  hence  is  equal  to  Z.  □ 


An  array  entry  in  a  DBM  is  called  legal  iff  it  corresponds  to  a  legal  constraint. 
In  other  words,  its  integer  bounding  value  is  neither  too  small  nor  too  big.  Illegal 
constraints  and  entries  are  defined  analogously. 


Theorena  4.7  The  time  zone  for  round{Z)  can  be  represented  by  the  DBM  B  ob¬ 
tained  from  the  canonical  DBM  A  for  Z  where  all  illegal  entries  have  their  bounds 
rounded  up  to  the  nearest  legal  bound  value,  i.e. 


aij  if  —  Kj  <  aij  <  Ki 

-Kj  if  aij  <  -Kj 

00  if  aij  >  Ki 


Proof:  Let  R  be  the  time  zone  round{Z).  Let  Zb  he  the  time  zone  represented  by 
B.  Since  Zb  is  a  rounded  zone  including  Z,  it  follows  that  R  C  Zb- 

To  see  that  Zb  C  R,  first  observe  by  lemma  4.6  that  R  is  definable  by  a  set  0  of 
legal  constraints.  Let  Ar  be  the  matrix  for  R  whose  ij-th.  entry  is 


a: 


k  if  Xj  —  Xj  <  A:  is  in  0 
00  otherwise 


Since  A  is  contained  in  R  and  A  is  canonical,  it  follows  that  Oij  :<  afj  because  otherwise 
there  would  be  a  point  in  Z  which  satisfies  Xi  -  Xj  <  a^  but  not  Xi  -  Xj  <  afj. 

The  rounding  process  replaces  two  kinds  of  entries,  in  either  case  with  some  ■< 
af  from  which  it  follows  that  Zb  QR^  required. 

Case  1:  a^  <  —Kj 

Then  bij  =  -Kj.  If  Xi  -  Xj  <  af  is  a  defining  constraint  in  R,  then  -Kj  ■<  af 
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Figure  4.7:  Rounded  regions  example 

since  it  must  be  a  legal  constraint.  This  implies  bij  :<  af-. 

If  there  is  no  defining  constraint  along  the  Xi  —  Xj  diagonal  then  a®  =  oo,  in 
which  case  it  is  clear  that  bij  :<  a^. 

Case  2:  Cij  >  Ki 

We  have  that  Ki  <  Cij  ■<  afj  and  since  all  elements  of  Ar  are  either  oo  or  legal 
constraint  entries,  it  follows  that  must  be  oo,  so  replacing  with  bij  =  oo 
does  not  affect  containment.  □ 

The  rounded  zone  for  Z  defined  by  1  <  0:2  <  2  and  xi  -  X2  <  1  is  shown  in 
figure  4.7.  In  section  4.4,  we  considered  an  automaton  with  RTi  =  1,  7^2  =  2,  and 
Kz  =  3.  Three  time  zones  are  used  to  represent  the  time  successors  of  the  origin  if  we 
use  Alur-Dill  equivalence  classes.  However,  the  successor  set  is  represented  exactly 
by  one  rounded  time  zone. 

Theorem  4.8  For  every  time  zone  Z,  round{Z)  intersects  the  same  regions  as  Z, 
i.e.  /or  every  s  €  round{Z)  there  is  a  state  s'  ^  Z  such  that  s  =  s'. 

Proof:  The  proof  must  show  that  rounding  Z  is  sound,  i.e.  it  introduces  no  states 
whose  Alur-Dill  equivalence  classes  are  not  already  represented  in  Z. 
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We  first  show  it  is  sound  to  replace  a  single  illegal  constraint  from  a  time  zone 
which  lies  entirely  within  a  detailed  time  zone.  From  this  we  infer  that  replacing  all 
constraints  from  such  a  time  zone  is  also  sound.  Given  this  fact,  the  result  follows 
for  an  arbitrary  zone  Z,  since  Z  is  the  union  of  zones  Zi  which  lie  in  distinct  detailed 
regions,  and  if  a  defining  constraint  is  illegal  in  Zi  then  there  is  a  similar  defining 
illegal  constraint  in  In  other  words,  the  effect  of  replacing  illegal  constraints  in  Z 
is  the  same  as  replacing  illegal  constraints  from  each  Zi.  Thus  we  need  only  establish 
the  first  claim,  namely  that  we  can  soundly  exchange  a  single  illegal  constraint  from 
a  zone  contained  in  a  detailed  zone. 

Let  Z  be  such  a  zone,  contained  in  the  detailed  zone  D,  and  let  6  :  Xi  —  Xj  <  b  he 
an  illegal  constraint  in  the  canonical  DBM  representation  of  Z.  The  constraint  6  is 
said  to  be  a  defining  constraint  for  Z  iff  it  is  essential  in  the  definition  of  Z,  i.e.  iff 
removing  6  from  the  constraints  in  the  DBM  results  in  a  different  zone  from  Z.  If  6  is 
not  a  defining  constraint,  then  replacing  it  with  a  weaker  constraint  in  the  rounding 
process  has  no  effect,  so  we  need  only  consider  defining  constraints. 

For  an  illegal  defining  constraint  6,  we  consider  four  cases. 

•  9  =  Xi  <k,  for  some  k  >  Ki. 

Then  $  is  replaced  by  the  trivial  constraint  a:*  <  oo  in  the  rounding  process. 
Since  Z  is  contained  in  a  detailed  zone  and  9  is  tight,  it  must  be  the  case  that 
Xi  >  Ki  for  all  points  in  Z.  Thus  D  includes  as  a  defining  constraint  Xi  <  oo, 
and  so  replacing  9  with  x,  <  oo  in  Z’s  DBM  results  in  a  region  contained  in  D. 

•  9  =  Xj  >  k,  for  some  k  >  Kj. 

Then  9  is  replaced  by  the  constraint  Xj  >  Kj  in  the  rounding  process.  Since 
Z  is  contained  in  the  detailed  zone  D  and  9  is  tight,  it  must  be  the  case  that 
Xj  >  Kj  is  a  constraint  in  D,  since  there  are  no  critical  constraints  of  form 
Xj  >  k  for  any  k  <  Kj.  Thus  replacing  9  with  Xj  >  Kj  in  Z’s  DBM  results  in 
a  region  contained  in  D. 

•  9  =  Xi  —  Xj  <  k,  for  some  k  >  Ki. 

Then  9  is  replaced  by  the  constraint  Xi  —  Xj  <  oo  in  the  rounding  process. 
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Suppose  all  points  in  D  satisfy  some  primary  constraint  Xi  <b  for  some  bound 
b  <  Ki-  Then  since  ^  is  a  tight  constraint  for  Z,  this  contradicts  containment  in 
D.  Therefore  no  points  in  D  satisfy  any  primary  constraints  of  the  form  x,  <  b. 
Thus  D  is  not  defined  by  any  secondary  constraints  of  the  form  Xi  —  Xj  <  b', 
and  hence  discarding  the  constraint  6  from  Z  results  in  a  zone  contained  in  D. 


•  6  =  Xi  —  Xj  <  k,  for  some  k  <  —Kj. 

Then  6  is  replaced  by  the  constraint  Xi  -  Xj  <  —Kj  in  the  rounding  process. 

Suppose  all  points  in  D  satisfy  some  primary  constraint  Xj  <  b  for  some  bound 
b  <  Kj.  Then  since  0  is  a  tight  constraint  for  Z,  this  contradicts  containment  in 
D.  Therefore  no  points  in  D  satisfy  any  primary  constraints  of  the  form  Xj  <  b. 
Thus  D  is  not  defined  by  any  secondary  constraints  of  the  form  Xi  —  Xj  <  b', 
and  hence  relaxing  the  constraint  9  in  Z  results  in  a  zone  contained  in  D.  □ 

4.4.2  Augmenting  next-state  relations 

We  now  formally  justify  the  use  of  rounded  regions.  Given  a  verification  problem 
VP  =  {S,  So,N,  V),  a  bisimulation  respects  W  iff  every  equivalence  class  is  either 
entirely  in  V  or  disjoint  from  V.  The  set  next-state  relation  iV  :  2^  — >  2^  is  said  to 
be  a  -set-augmentation  of  N  for  VV  iff 

1.  «  is  a  bisimulation  respecting  VP,  and 

2.  N  augments  iV,  i.e.  for  all  sets  A  C  S,N{A)  C  N{A),  and 

3.  for  all  A  C  6’,  for  all  s  G  N{A),  there  exists  t  G  iV(yl)  such  that  s  «  t. 

Proposition  4.9  Given  a  verification  problem  VP,  a  bisimulation  «  respecting  VV, 
and  a  set  next-state  relation  N  which  is  a  ra- set-augmentation  of  N,  {S,So,N,V)  is 
correct  iff  {S,Sq,N,V)  is  correct. 

Proof: 

If  {S,  Sq,  N,  V)  is  incorrect,  then  so  is  {S,  Sq,  N,  V)  since  N  C  N. 


4.5.  APPROXIMATION  OF  REAL-TIME  SYSTEMS 


93 


On  the  other  hand,  if  {S,So,N,V)  is  incorrect,  we  can  show  that  {S,So,N,V) 
is  also  incorrect  by  constructing  a  violating  path  in  the  original  graph  as  follows. 
Suppose  to,ti,t2,...,tk  is  a  violating  path  in  {S,So,N)  with  4  G  V.  Let  sq  =  to- 
Since  N  is  &  w-augmentation  of  N  there  is  a  state  si  that  is  bisimilar  to  ti  and 
a  successor  state  of  sq  via  N.  We  inductively  continue  the  construction  of  a  path 
5o,  si, . . . ,  Sfc  in  (5,  So,  N)  where  each  Si  «  U.  Now  since  fti  respects  V  and  tk  eV  it 
follows  that  Sk  is  in  V,  and  hence  {S,  So,  N,  V)  is  also  incorrect.  □ 

Lemma  4.10  The  rounded  regions  are  closed  under  the  operations  =  round  o  Ne 
and  =  round  o  Ng.  ^ 

Lemma  4.11  The  states  reachable  with  and  are  bisimilar  to  those  reachable 
by  using  Ne  and  Ng,  and  thus  is  a  ad  set-augmentation  of  UNgUNg. 

□ 

Theorem  4.12  The  verification  problem  with  next-state  relation  UNg  U  Ng  reduces 
to  that  over  U  Ng‘^. 

Theorem  4.13  The  set-reachability  algorithm  applied  to  a  timed  safety  automaton 
with  Nl^  replacing  Ng  and  N}^  replacing  Ng  terminates  correctly. 

Proof:  The  result  follows  from  the  above  theorem  because  there  are  only  finitely 
many  rounded  zones. 

Thus  we  may  use  the  rounded  next-state  relations  to  decide  the  verification  prob¬ 
lem  for  timed  safety  automata. 


4.5  Approximation  of  real-time  systems 

4.5.1  Over  approximation 

The  overapproximation  operator  for  verifying  real-time  systems  is  defined  over  time 
zones  as  the  zone  that  results  from  rounding  the  smallest  enclosing  time  zone: 


All  B  =  round{enclose{A, B)) 
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enclose(A, B)  =  v[iva.{Z"\Z"  a  time  zone  and  AC  B  C  Z"} 

The  smallest  enclosing  region  is  called  the  prejoin  of  A  and  5,  and  is  well-defined 
since  time  zones  are  closed  under  intersection. 


Proposition  4.14  If  A  and  B  are  represented  by  canonical  DBMs  with  the  same 
name,  their  prejoin  is  represented  by  the  DBM  D  whose  entries  are  the  pairwise 
maxima  of  entries  in  A  and  B,  i.e.  dij  =  maix{aij,bij}. 


Proof:  Let  D  be  the  time  zone  represented  by  the  matrix  of  the  same  name.  It 
includes  A  and  B  since  all  bounds  in  D  are  no  tighter  than  in  A  and  B. 

To  see  that  it  is  the  smallest  time  zone  containing  both  A  and  B,  first  observe 
that  all  bounds  in  A  and  B  are  as  tight  as  possible.  If  any  dij  is  tighter  than  say, 
then  D  cannot  contain  all  of  A  since  A  contains  points  for  which  Xi  —  Xj  =  %  but 
which  are  disallowed  in  D.  Thus  no  bounds  in  D  can  be  further  tightened,  and  so  D 
represents  the  smallest  possible  time  zone  enclosing  A  and  B.  □ 

The  overapproximation  operator  is  extended  in  the  expected  way  to  regions,  i.e. 


{q,Z)U{q\Z') 


{q,Z'UZ")  ifg  =  9' 
undefined  otherwise 


Proposition  4.15  The  set  of  rounded  regions  is  closed  under  the  overapproximation 
operator.  ^ 


4.5.2  Under  approximation 

We  define  the  operator  over  single  approximating  sets,  and  the  extension  to  sets  of 
approximating  sets  follows  from  the  discussion  in  section  2.2.3.  The  underapproxi¬ 
mating  E>  operator  is  defined  as; 


{q,Z)^{q',Z') 


{q',Z')  {q,Z)C{q',Z') 

{q,  Z)  otherwise 


Proposition  4.16  The  operator  defined  above  is  an  underapproximating  operator. 
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Proof:  It  clearly  satisfies  the  correctness  property  UA_1.  The  non-emptiness  property 
holds  by  the  first  condition  in  the  definition.  D 

Proposition  4.17  The  set  of  rounded  regions  is  closed  under  the  underapproximating 
operator. 

The  plus  operator  over  sets  of  approximating  sets  (see  subsection  2.2.3)  is  re¬ 
stricted  so  that  it  is  maximal  up  to  a  limit  of  k  underapproximating  sets  per  separat¬ 
ing  class.  In  other  words  the  result  of  expanding  a  set  {Aij}  of  approximating  sets 
with  another  set  {Biji}  is  a  superset  of  the  original  set,  with  as  many  Biy  added  as 
possible,  provided  there  are  at  most  k  sets  in  the  extension. 

4.5.3  Disjunctive  next-state  relation 

The  algorithm  in  chapter  2  assumes  that  the  result  of  applying  the  next-state  relation 
to  an  approximating  set  A  yields  an  approximating  set  B.  This  approximating  set  B 
is  then  split  across  the  separating  classes  into  further  approximating  sets  Bi,  each  of 
which  is  then  joined  to  the  existing  approximating  structure,  one  separating  class  at 
a  time.  However,  the  next-state  relation  of  a  timed  safety  automaton  does  not  yield  a 
single  region,  but  rather  a  disjunction  of  regions,  since  the  next-state  relation  is  itself 
a  disjunction  of  relations,  each  of  which  may  yield  different  regions. 

Such  a  situation  can  easily  be  handled  by  a  modified  approximation  algorithm, 
by  computing  the  next-state  relation  in  parts.  Suppose  the  next-state  relation  N 
is  the  disjunction  of  k  relations  Ni,  and  for  each  Ni  is  closed  over  the  domain  of 
approximating  sets.  Instead  of  computing  N{A)  we  consider  each  Ni{A)  in  turn.  The 
result  after  k  computations,  and  applications  of  the  approximating  operators,  has  the 
same  effect  as  computing  the  successors  as  a  set  of  k  approximating  sets,  and  then 
performing  the  approximating  operators  in  one  step. 

Theorem  4.18  The  modified  algorithm  for  disjunctive  next-state  relations  termi¬ 
nates  correctly  over  finite  state  systems. 

Proof:  (Sketch)  Correctness  is  obvious  since  computing  the  next-state  relation  in 
several  steps  does  not  affect  whether  the  algorithms  correctly  overapproximate  or 
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underapproximate.  The  necessary  modifications  to  proofs  of  propositions  supporting 
the  termination  theorem  2.14  are  tedious  but  straightforward.  □ 

4.5.4  Urgent  events 

We  assume  that  urgent  events  have  no  timing  constraints  associated  with  them^. 
Urgent  events  could  be  modeled  by  adding  safety  invariants  with  upper  time  bound 
0  on  a  clock  which  is  reset  on  entering  a  state  in  which  an  urgent  event  is  enabled. 
However,  it  is  more  effective  to  handle  them  directly.  Marks  can  be  placed  on  control 
locations  in  the  automaton  where  urgent  events  are  enabled.  Rather  than  resetting 
a  clock  on  entering  the  control  location,  the  next-state  relation  is  altered  to  disallow 
time  passing  in  this  state.  The  immediate  advantage  of  this  strategy  is  that  we  reduce 
the  number  of  clocks  in  the  system,  which  increases  the  speed  of  verification.  Further 
benefits  are  discussed  in  the  next  chapter. 


4.6  Proof  of  termination 

The  termination  proof  of  the  previous  chapter  applied  to  finite-state  systems  only. 
We  show  now  that  the  algorithm  also  terminates  for  the  verification  of  timed  safety 
automata,  essentially  because  the  algorithm  uses  the  finite  domain  of  rounded  regions 
for  approximating  sets. 

Let  X  =  {Xalagj  be  a  partition  of  S.  We  define  the  set 

Y  =  {Yi\Yi=  for  some  J'  C  J} 

to  be  the  sets  which  are  the  union  of  blocks  in  the  partition.  A  verification  problem 
W  =  (5,  Soy  N,  V)  is  said  to  be  separated  by  the  partition  X  =  {Xa}aeJ  of  S  iff 

1.  5o  e  r, 


^It  is  possible  to  convert  any  timed  safety  automata  into  this  form.  A  proper  transition  relation 
has  no  strict  lower  bounds  in  the  enabling  conditions  of  urgent  events,  so  a  location  with  outgoing 
urgent  events  can  be  divided  into  separate  locations,  each  representing  a  zone  where  the  urgent  event 
is  either  enabled  or  disabled. 
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2.  VeY 

3.  Y  is  closed  under  the  next-state  relation  N,  and  the  approximation  operators 
U  and  ^ . 

It  is  separable  iff  it  is  separated  by  some  partition  X.  The  problem  W  is  said  to 
be  finitely  separated  by  X  iff  it  is  separated  by  X  and  X  is  finite.  The  term  finitely 
separable  is  similarly  defined. 

Proposition  4.19  If  the  verification  problem  {S,So,N,V)  is  finitely  separable  by 
X,  and  the  domain  of  approximating  sets  includes  all  elements  of  X,  then  the  full 
approximation  algorithm  of  chapter  2  terminates,  and  correctly  decides  the  verification 
problem.  □ 

Lemma  4.20  The  transition  system  induced  by  a  timed  safety  automaton  is  finitely 
separable  by  the  detailed  rounded  regions.  □ 

Proposition  4.21  The  full  approximation  algorithm  applied  to  {S,Sq,N ,V),  where 
the  Pi -augmentation  N  is  U  defined  in  section  4-4-L  terminates,  and 

correctly  decides  the  verification  problem  for  timed  safety  automata.  □ 


4.7  Examples 

We  illustrate  the  algorithm  with  a  couple  of  examples. 

Separating  classes  and  conditional  joining 

First  consider  the  automaton  Ai  in  figure  4.8.  An  enabling  condition  of  form  (x,  y)  = 
(1, 1)  represents  the  constraint  x  =  lAy  —  1.  The  violation  location  is  53.  The  approx¬ 
imation  algorithm  finds  the  initial  forwards  overapproximation  and  underapproxima¬ 
tion,  and  the  backwards  overapproximation.  After  these  computations  the  algorithm 
halts  with  the  system  verified  correct.  Figure  4.9  shows  the  truly  reachable  states 
and  the  resulting  approximating  structures.  The  forward  overapproximation  starts 
by  adding  the  time  successors  to  the  origin.  The  successors  of  the  set  {go,  {x  =  y)) 
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{x,y)  =  (1,0) 
x  :=  0 


y  :=0 


Figure  4.8:  Timed  safety  automaton  Ai 


are  the  sets  {(51,  (1, 0))}  and  {(gi,  (0, 1))},  each  obtained  by  individually  following  a 
transition  from  qq.  Suppose  the  former  set  is  added  first  to  the  overapproximation. 
The  state-space  is  partitioned  according  to  control  location,  so  when  the  second  set 
is  added  to  the  approximation,  it  is  joined  to  the  first,  giving  {qx,  {x  <\  /\y  <  1)). 
Adding  time  successors  to  this  set  gives  the  region  shown  in  figure  4.9.  Joining  the 
successor  sets  out  of  qx  yields  (92)  (aJ  <  1  A  y  <  1)).  Completing  the  approximation 
gives  the  states  depicted  on  the  second  row  of  the  diagram  above. 

The  underapproximation  is  taken  to  consist  of  up  to  two  approximating  sets 
per  separating  class.  The  successor  states  of  (yo)  (x  =  y))  are  the  individual  sets 
{qx,  {(0, 1)})  and  (^i,  {(1,0)}).  Since  the  approximation  allows  up  to  2  sets  per  sep¬ 
arating  class,  both  are  included.  Adding  time  successors  to  {qx,  {(0, 1)})  leads  to  the 
ray  {qx,{y  =  x  -1 1)).  Since  it  includes  the  underapproximating  set  (gi, {(0, 1)}),  it 
replaces  the  latter  set  in  the  under  approximation. 

The  backwards  overapproximation  starts  with  the  violating  states  at  location  q^. 
Suppose  the  transition  enabled  on  {x,y)  =  (1,0)  is  considered  first.  Then  the  back¬ 
wards  overapproximation  includes  the  set  (32,  {(1, 0)}).  The  other  transition  into  $3 
results  in  adding  {q2,  {(0, 1)})  to  the  approximation.  These  two  sets  at  location  q2  are 
not  joined  together  because  doing  so  would  violate  condition  1  for  permissible  joins. 
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Forwards 

Underapproximation 


qO  0  12 


0  12 


q2  0  12 


2-1 

1 

q3  0  12 


Backwards 

Overapproximation 


qO 


Figure  4.9:  Approximations  for  Ai 


i.e.  their  join  (^2,  (2;  <  1  Ay  <  1))  includes  the  forwards  underapproximation  whereas 
neither  of  the  original  sets  do.  Computation  of  the  approximation  completes  without 
including  the  initial  state,  and  so  the  system  is  correctly  verified. 


Rounding  and  urgent  events 

Our  second  example,  shown  in  figure  4.10,  illustrates  rounding  and  the  treatment  of 
urgent  events.  The  truly  reachable  states  and  the  first  forward  overapproximation 
only  are  shown  in  figure  4.11.  Time  may  pass  without  bound  while  control  remains 
in  location  50-  At  any  time  less  than  1,  control  may  pass  to  location  qi.  The  urgent 
event  is  instantly  enabled,  leading  to  location  92-  Now  time  is  allowed  to  pass  in 
location  52-  The  clock  y  may  be  reset  whenever  it  reaches  1,  and  control  may  move 
to  the  location  when  x  =  2. 

The  first  forwards  overapproximation  begins  by  adding  all  time  successors  to  the 
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^2 


Figure  4.10:  Timed  safety  automaton  A2 


Truly 

Reachable 


Forwards 

Overapprox. 


Figure  4.11:  Approximations  for  A2 


T — ^ — I — 1 — r 
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zero  vector  at  location  go,  giving  the  approximating  set  {go,  (x  =  y)).  This  set  is  joined 
to  the  initial  approximating  set  in  the  separating  class  for  go,  namely  (go,  (x  —  y  =  0)}, 
resulting  in  (go,(x  =  y))  since  it  contains  the  initial  set.  The  transition  from  go 
to  gi  leads  to  states  {gi,{x  =  y  <  1)).  Because  there  is  an  urgent  event  out  of 
gi,  no  time  successors  are  added  to  this  set.  Following  the  urgent  event  leads  to 
Gi  =  {g2,  (x  =  y  <  1)),  to  which  the  time  successors  G2  =  (?2,  (x  =  y))  may  be 
added.  The  self-loop  adds  states  G3  =  (g2,{(l,0)})  for  which  the  prejoin  with  G2 
yields  G4  =  {g2,{0  <  x  -  y  <  1))  which  is  a  rounded  region. 

Following  the  transition  to  gs  leads  to  Hi  =  {g3,{x  =  2  A  1  <  y  <  2)).  This 
is  a  rounded  region,  even  though  at  first  appearance  it  appears  to  be  defined  using 
the  illegal  constraint  y  <2,  which  should  then  be  discarded  in  the  rounding  process. 


4.7.  EXAMPLES 


101 


Notice  however  that  the  constraints  y  —  x  <0  and  a;  =  2  are  legal  constraints  which 
imply  y  <  2.  Thus  the  rounding  operation  leaves  Hi  unaffected.  Similarly,  time 
successors  can  be  added  to  Hi  giving  H2  =  {qz,  {x>2A0<x-y<  1)).  A  further 
self-loop  on  G4  followed  by  adding  time  successors  yields  G5  =  (52,  (0  <  x  -  y  <  2)), 
while  the  transition  from  q2  to  93  results  in  Hz  =  {qz,  {x  >2  AO  <  x  —  y  <2))  which 
is  a  rounded  region.  Adding  time  successors  to  Hz  leaves  it  unchanged.  The  effect 
of  rounding  can  be  seen  when  considering  the  next  self-loop  at  qz.  The  immediate 
successors  of  the  self-loop  from  G5  are  {qz,  (y  =  0  A1  <  x  <  3)).  The  prejoin  of  these 
successors  with  G5  is  Ge  =  {q2,{0  <  x  -  y  <  3)).  The  constraint  x-y  <3is  illegal, 
since  the  constant  exceeds  Kx  —  2.  Removing  a; -t/  <  3  from  G^s  DBM  and  replacing 
it  with  the  trivial  bound  x-y  <  00  results  in  the  rounded  region  G7  =  {qz,  (0  <  x-y)), 
and  no  further  states  are  then  added  to  the  overapproximation. 


Chapter  5 


Verifying  Real-Time  Systems  — 
Part  II 


5.1  Symbolic  representation  of  control  locations 

In  many  realistic  real-time  systems,  large  state-spaces  arise  not  only  from  the  com¬ 
plexity  of  timing  information,  but  also  from  having  numerous  control  locations.  The 
algorithm  shown  in  the  last  chapter  employed  a  single  control  location  per  approxi¬ 
mating  set.  If  there  are  many  reachable  control  locations,  the  algorithm  will  have  to 
store  a  large  number  of  approximating  sets.  We  counter  this  problem  by  clustering 
together  information  across  different  control  locations.  The  last  chapter  showed  how 
to  use  approximating  sets  of  the  form  {q,Z),  where  ^  is  a  control  location  and  Z  a 
rounded  time  zone.  We  generalize  this  to  allow  approximating  sets  of  the  form  (A,  Z) 
where  A  is  a  set  of  locations  and  Z  is  as  before  a  rounded  time  zone.  Thus  control 
information  may  be  represented  symbolically  as  well  as  the  timing  information.  This 
technique  may  dramatically  reduce  the  number  of  approximating  sets  which  need  to 
be  considered. 

We  first  define  the  approximating  operators.  Later  we  show  how  the  algorithm  is 
modified  to  allow  approximation  of  the  next-state  relation  as  well  as  approximation  of 
the  state-space.  These  modifications  are  necessary  for  efficiently  handling  the  issues 
of  urgent  events  and  safety  constraints  in  the  passage  of  time. 
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5.1.1  Combining  domains  for  approximation 

We  first  show  how  different  operators  over  different  components  of  the  state-space 
can  be  combined.  Suppose  a  state-space  is  the  cross-product  of  two  domains,  e.g. 
S  =  So  y.  Si.  Approximating  operators  over  the  domains  So  and  Si  can  be  combined 
to  give  an  approximating  operator  over  S.  For  convenience,  we  use  {A,  B)  to  denote 
the  cross-product  Ax  B  oi  A  and  B. 

Overapproximating 

Given  approximating  sets  {A,B)  and  for  So  x  Su  and  overapproximating 

operators  Ui  and  U2  over  approximating  sets  for  5'o  and  5i  respectively,  we  define 
their  combination  U  such  that 

(A,  B)  U  (A',  B')  =  (A  Ui  A',  B  U2  B') 

Let  D  be  the  domain  consisting  of  the  pairs  of  approximating  sets  for  and  Si. 

Proposition  5.1  The  operator  U  defined  above  is  an  overapproximating  operator 
over  D. 

Proof:  The  operator  is  closed  over  D  since  each  of  the  component  operators  is. 
Furthermore,  (A,  B)  C  (A  Lii  A',  B  U2  B')  since  A  C  A  Ui  A'  and  J5  C  P  IJ2  The 
argument  for  {A',  B')  is  analogous.  Cl 

U  nder  approximating 

Given  approximating  sets  (A,P)  and  {A',B')  and  underapproximating  operators 
and  ^  2  over  approximating  sets  for  So  and  Si  respectively,  we  define  their  combina¬ 
tion  >  as 


(A,P)^(A',P') 


'  {A’,B') 
(A^iA',5) 
{A,B>2B') 
.  (AB) 


if(A,B)C(A',P') 
if  BCB'  and  A  g  A' 
if  A  C  A'  and  B  g  B' 
otherwise 
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Proposition  5.2  The  operator  ^  defined  above  is  an  underapproximating  operator 
over  D. 

Proof:  The  operator  is  clearly  well-defined  and  closed. 

Containment  is  obvious  for  the  first  and  last  cases.  By  symmetry,  we  need  only 
explain  the  second  case.  If  J9  C  B',  then  since  A^xA'  C  ^  u  ^4',  it  follows  that 
{A  ^  xA',  B)C{AU  A',  B)  =  {A,  B)  U  {A,  B)  C  {A,  B)  U  {A,  B'). 

Finally,  the  non-emptiness  condition  is  satisfied  because  of  the  first  case.  □ 

Real-time  operators 

To  specify  the  operators  used  for  approximating  real-time  systems,  we  need  only 
provide  the  operators  over  the  two  domains  of  control  locations,  and  timer  vectors. 
These  operators  can  be  combined  as  outlined  above.  We  use  the  same  operators  as 
before  over  timer  vectors.  For  simplicity,  we  use  the  exact  union  operator  over  sets 
of  control  locations,  i.e.  AUx  A  =  AC  A. 

5.1.2  Computing  successors 

In  the  case  of  a  single  control  location  per  approximating  set,  it  is  easy  to  compute 
the  exact  set  of  successors  of  an  approximating  set  for  any  transition.  The  set  of 
successors  is  itself  an  approximating  set.  When  the  approximating  sets  include  sets 
of  control  locations,  it  is  still  straightforward  to  compute  successors  under  instanta¬ 
neous  transitions.  Timing  information  for  the  successors  is  independent  of  the  control 
locations:  if  a  transition  is  taken,  its  reset  action  must  be  applied  to  all  timer  val¬ 
ues,  regardless  of  the  incoming  or  outgoing  control  locations.  However,  computing 
the  exact  set  of  time  successor  states  is  more  complicated,  because  now  the  control 
locations  affect  timing  information:  urgent  events  and  safety  invariants  may  restrict 
how  long  time  can  pass.  Consider  the  problem  of  efficiently  finding  the  set  of  time 
successor  states  for  the  approximating  set  {A,  Z).  Each  location  q  €  A  has  a  po¬ 
tentially  different  safety  invariant,  so  the  number  of  approximating  sets  in  the  time 
successors  of  {A,  Z)  may  be  as  large  as  the  size  of  A.  If  this  were  the  case,  it  would 
defeat  the  purpose  of  grouping  together  information  about  different  control  locations 
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in  the  same  approximating  set.  Furthermore,  time  is  not  permitted  to  pass  in  those 
control  locations  with  urgent  events  enabled.  We  tackle  this  problem  by  allowing 
approximations  of  the  next-state  relation,  as  discussed  in  section  2.4 


5.2  Approximating  real-time  systems 

In  this  section  we  describe  the  full  algorithm  advocated  for  verifying  real-time  sys¬ 
tems  using  approximations  over  control  information  and  timing  information.  The 
next-state  relation  for  time-passage  events  is  both  underapproximated  and  overap¬ 
proximated.  The  algorithm  requires  the  use  of  additional  splitting  between  traversals 
to  ensure  termination. 

5.2.1  Approximating  next-state  relations 

The  algorithm  proceeds  exactly  as  described  above  in  section  5.1,  except  that  the 
next-state  relation  is  approximated  for  the  passage  of  time.  Exact  computation  is 
performed  for  instantaneous  events.  Recall  that  the  next-state  relation  for  a  timed 
safety  automaton  is  the  disjunction 

N=  Ue^TNeUNs 

where  the  time-passage  relation  is 


Ns=  UtyoNs, 

We  assume  as  before  that  urgent  events  are  constrained  only  by  control  locations, 
and  are  independent  of  timing  information.  Let  Urg{Q)  be  those  control  locations 
for  which  there  is  some  outgoing  urgent  event.  For  each  t  €  IR,  we  observe  that 

=  {({?,  x),  {q,  f  +  f))  I  $  €  Q  \  Urg{Q),  x  +  t  e  Inv{q)} 

The  relation  Ns  is  not  closed  over  approximating  sets.  In  general  the  successors 
Ns{{A,  Z))  form  a  set  of  approximating  sets,  one  for  control  locations  in  Urg{Q),  and 


106 


CHAPTER  5.  VERIFYING  REAL-TIME  SYSTEMS  -  PART  II 


up  to  one  each  for  every  different  safety  invariant  for  the  locations  in  A. 


NsiiA,  Z))  =  {An  Urg{Q),  Z)  U  Uggyi\y^5(Q)(g,  n  /nt;(?)) 


Notice  that  this  successor  set  need  not  be  represented  with  one  approximating  set  for 
every  location  in  ^  \  Urg{Q),  since  the  approximating  sets  with  locations  sharing  the 
same  safety  invariant  will  share  the  same  time  zone,  and  thus  can  be  combined  into 
approximating  sets  of  the  form  ({^  G  ^  \  Urg{Q)  \  Inv{q)  =  Inv{(^)},Zy  n  Inv{q')). 
However,  the  number  of  such  sets  can  still  be  prohibitively  large,  especially  since  the 
timed  safety  automaton  often  represents  the  product  of  several  parallel  processes, 
so  there  may  be  exponentially  many^  different  safety  invariants  for  a  set  of  control 
locations. 

So  while  it  is  possible  to  use  an  exact  next-state  relation,  we  prefer  to  approximate 
the  time  successors  using  an  overapproximating  (set)  next-state  relation,  and  an  un¬ 
derapproximating  (set)  next-state  relation  which  returns  exactly  one  approximating 
set  rather  than  the  list  of  approximating  sets  which  would  be  returned  by  an  exact 
computation. 

The  overapproximating  relation  Ng  for  the  forwards  relation  Ng  is  defined  as 


NsdAZ)) 


'  {AZ) 

i  {A,  Z/^n  Inv{q)) 
.  {A,  Z^) 


if  A  C  Urg{Q) 

if  A  ^  Urg{Q)  and  Vg'  G  A,  Inv{q)  =  Inv{q') 
otherwise 


The  underapproximating  relation  Ng  for  the  forwards  relation  Ng  is  defined  as 


Ng{{A,Z))  =  { 


{A,Z^n  Inv{q)) 
[  {A,Z) 


if  An  Urg{Q)  =  0  and 
Vg'  G  A,  Inv{q)  =  Inv{qf) 
otherwise 


^  There  may  be  a  different  invariant  for  every  control  location,  and  so  the  number  of  invariants 
may  be  exponential  in  the  number  of  processes. 
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The  approximating  relations  used  for  computing  backwards  reachable  states  are  sim¬ 
ilar.  The  overapproximating  relation  for  the  relation  is  defined  as 

{AZ)  HACUrgiQ) 

{A{Zninv{q))y)  ifA%  Urg{Q) 

and  Vg'  €  A,  Inv{q)  =  Inv{(f) 

{A.,  Z y)  otherwise 

The  underapproximating  relation  for  the  relation  is  defined  as 

{A,  {Z  n  Inv{q))y)  ii  AO  Urg{Q)  =  0 

and  Wq'  G  A,  Inv{q)  =  Inv((f) 

(A,  Z)  otherwise 

Let  the  domain  of  sets  Q  be  defined  as  {(9,IR")  |  q  G  Q}. 

Proposition  5.3  1.  The  overapproximating  relation  Ng  (Ng^)  is  an  overapproxi¬ 

mation  of  the  next-state  relation  Ng  (Nf^). 

2.  Furthermore,  Ng  and  Ng^  exactly  match  Ng  over  sets  for  which  all  control  lo¬ 
cations  share  the  same  safety  invariant  and  urgency  information,  and  hence 

exactly  match  over  Q.  D 

Proposition  5.4  1.  The  underapproximating  relation  Ng  (N^ )  is  an  underap¬ 

proximation  of  the  next-state  relation  Ng  (Nf^). 

2.  Furthermore,  Ng  and  Njl  exactly  match  Ng  over  sets  for  which  all  control  lo¬ 
cations  share  the  same  safety  invariant  and  urgency  information,  and  hence 

exactly  match  over  Q.  n 

To  guarantee  termination,  it  would  sufiice  to  show  that  whenever  the  routine 
Over_Approx  is  run  with  the  approximate  next-state  relations  Ng,Ng^,  Ng,  and 
successive  overapproximations  are  strictly  decreasing  with  respect  to  •<base-  Unfor¬ 
tunately,  however,  this  is  not  the  case.  We  use  instead  the  policy  introduced  in 
section  2.4  of  additional  splitting  to  force  the  overapproximations  to  decrease  with 


Ni'({AZ))  = 
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respect  to  -^set  until  they  eventually  refine  the  partition  Q.  Then  since  the  approxi¬ 
mating  relations  are  exactly  matching  over  Q,  termination  follows. 

5.2.2  Algorithm  for  real-time  systems 

The  algorithm  uses  approximate  next-state  relations  N  =  N^U  Ns,  N  =  Ngli  Ns, 
N^  =  N-^  U  Nf,  and  =  N-^  UN^. 

By  propositions  5.3  and  5.4  and  theorem  2.26,  convergence  is  guaranteed  if  the 
approximating  sets  are  forcibly  refined  until  control  locations  share  the  same  urgency 
information  and  invariants.  Thus  to  ensure  termination  we  may  chose  any  maxi¬ 
mal  class  for  which  the  next-state  relations  are  not  exactly  matching,  and  refine  it 
by  separating  locations  with  different  timing  characteristics.  We  prefer  to  choose 
the  classes  for  sphtting  in  a  way  that  will  likely  result  in  faster  convergence  of  the 
approximations.  The  classes  chosen  for  splitting  are  those  sets  A  which  are  not  ade¬ 
quately  covered  by  the  underapproximation.  The  idea  is  that  in  order  to  accelerate 
convergence,  the  underapproximation  should  increase  as  quickly  as  possible  towards 
the  overapproximation,  while  the  overapproximation  should  decrease  as  fast  as  pos¬ 
sible  towards  the  under  approximation.  By  further  dividing  a  separating  class  C  by 
distinguishing  states  in  the  underapproximation  from  those  not,  we  simultaneously 
force  the  overapproximations  to  be  more  accurate  within  C,  and  provide  a  means  for 
the  underapproximation  to  include  more  states  in  C. 

Real-time  approximation  algorithm 

The  algorithm  appears  in  figure  5.1.  An  overapproximation  A  is  not  merely  flattened 
and  used  directly  as  the  separating  structure  for  the  next  traversal.  Instead  it  is 
refined  via  the  function  Refine_Maximal()  into  a  structure  C  such  that  C  -<,<.<  A.  The 
result  of  calling  Refine_Maximal  with  overapproximation  A  and  underapproximation 
R  is  a  separating  structure  obtained  from  A  by  replacing  every  maximal  set  A  with 
two  disjoint  parts: 

1.  Ai  =  {Qi  X  IR™)  n  A 

2.  A2  =  (C?2  X  IR”)  n  A 
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RT-Approx 

Over[BACKWARDS]  :=  original  separating  structure; 
Under[BACKWARDS]  :=  empty  approximating  structure; 
confirmed-positive  :=  FALSE; 
confirmed-negative  :=  FALSE; 
dim  :=  FORWARDS; 

while  (  (not  confirmed-positive)  and  (not  confirmed-negative)  )  do 
Sep-Structure  := 

Refine-Maximal(Over[Opposite_Dirn(dirn)],Under[Opposite-Dirn(dirn)]); 
Over  [dim]  := 

Over_Approx(dirn,iV,Sep-Structure,Under[Opposite_Dirn(dirn)]); 
Sep-Structure  :=  Flatten  (Over  [dim]); 

Under[dirn]  :=  Under-Approx(dirnJV,Over[dirn]); 
dim  :=  Opposite-Dirn(dirn); 
endwhile 


Figure  5.1:  Real-time  approximating  algorithm 

where  Ai  U  A2  =  A.  We  define  proj{Q){W)  to  be  the  set  of  all  control  locations 
found  in  the  set  of  timed-states  W.  The  splitting  of  A  may  be  obtained  by  separating 
control  locations  by  any  one  of  the  following  criteria: 

1.  Qi  =  proj{Q){A  n  UH),  or, 

2.  Qi  =  Urg{Q)  n  proj{Q){A),  or 

3.  Ns{Ai)  #  Ai 

The  first  condition  corresponds  to  separating  out  those  control  locations  that  have 
timed-states  in  the  underapproximation  already  from  those  that  do  not.  This  policy 
is  the  one  suggested  in  the  discussion  above.  The  second  and  third  conditions  reflect 
attempts  to  decrease  the  next  overapproximation,  by  separating  out  control  locations 
for  which  the  passage  of  time  could  result  in  fewer  timed-states  being  encountered, 
i.e.  for  some  subset  A'  of  Ai,  Ns{A')  c  Ai.  Such  sets  of  locations  Qi  may  be  obtained 
by  splitting  according  to  the  safety  invariants  associated  with  control  locations,  or  by 
separating  the  locations  which  have  urgent  outgoing  events. 


no 


CHAPTER  5.  VERIFYING  REAL-TIME  SYSTEMS  -  PART  II 


Simple  timed  automata 

If  we  are  verifying  simple  timed  automata,  there  is  no  need  to  approximate  the  next- 
state  relation  Ns-  The  syntax  of  simple  timed  automata  does  not  allow  urgent  events, 
nor  safety  invariants,  and  so  finding  the  exact  sets  of  time  successors  and  predecessors 
is  always  efficient,  i.e.  Ns{{A,Z))  =  {A,Zy‘),  and  Ng^{{A^Z))  =  {A,Zy). 

5.2.3  Properties  of  algorithm 

Proposition  5.5  Each  overapproximation  FOi  from  the  algorithm  above  will  either 
be  strictly  decreasing  with  respect  to  i-e.  FOi  -<set  FOi-i,  or  the  approximate 
next- state  relations  will  be  exactly  matching  over  FOi. 

Proof:  Suppose  the  approximate  relations  are  not  exactly  matching.  Then  by  the 
definitions  of  the  approximating  relations  there  must  be  a  set  A  for  which  the  control 
locations  differ  for  either  safety  invariants  or  urgent  events,  i.e.  3$,^  €  proj{Q){A) 
such  that  Inv{q)  ^  Inv{q'),  or  3q,q'  E  proj{Q){A)  such  that  q  E  Urg{Q)  and  <f  ^ 
Urg{Q).  There  must  be  a  maximal  set  containing  this  set  A,  for  which  the  control 
locations  also  differ  in  this  regard.  This  set  will  be  split  causing  FOi  to  be  computed 
with  respect  to  a  separating  structure  strictly  less  than  FOi-i,  and  hence  FOi  -<set 
FOi-i.  A  similar  argument  holds  for  backwards  approximations.  □ 

Proposition  5.6  The  algorithm  above  terminates  for  real-time  systems. 

Proof:  The  result  follows  from  proposition  5.5,  the  fact  that  the  approximating  re¬ 
lations  are  exact  over  Q  and  theorem  2.26.  □ 


5.3  Ordered  binary  decision  diagrams 

The  success  of  using  approximations  over  control  information  depends  heavily  on  hav¬ 
ing  an  efficient  representation  for  sets  of  control  locations.  We  therefore  conclude  this 
chapter  by  reviewing  an  effective  symbolic  representation  for  Boolean  functions,  the 
ordered  binary  decision  diagram  (OBDD)  due  to  Bryant  [Bry86].  This  representation 
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is  used  by  our  implementation  for  describing  sets  of  control  locations.  In  hardware 
verification  and  protocol  verification,  OBDDs  have  enabled  successful  formal  verifi¬ 
cation  well  beyond  the  range  of  a  traditional  explicit  implementation  [BCM'''90].  In 
addition  it  has  been  used  for  a  variety  of  other  problems  involving  manipulation  of 
system’s  state-space,  including  the  synthesis  of  supervisory  controllers  [HWT92b], 
logic  synthesis  [FKM91],  sensitivity  analysis  and  test  generation  [CB89],  and  logical 
databases  [MC91]. 

Before  defining  OBDDs,  we  first  describe  how  an  untimed  transition  systems  can 
be  expressed  and  verified  using  Boolean  functions. 

5.3.1  Relations  and  Boolean  functions 

A  transition  system  can  be  viewed  as  a  set  of  tuples,  which  can  in  turn  be  expressed 
as  Boolean  functions.  Operations  on  sets  of  states  of  a  transition  system  can  be 
expressed  as  manipulations  on  Boolean  functions.  This  section  makes  this  encoding 
more  explicit.  If  Q  is  the  set  of  locations  of  a  transition  diagram  or  automaton,  let 
Q'  =  G  Q}  be  a  set  of  locations  representing  the  same  locations  in  the  next 
state  of  execution.  If  the  alphabet  of  edge  labels  is  S,  a  next-state  relation  for  the 
transition  function  can  be  expressed  as  a  set  of  tuples  S  in  Q  x  E  x  Q'.  The  sets  of 
initial  locations  and  final  locations  of  an  automaton  can  be  thought  of  as  1-tuples. 

Any  set  of  n-tuples  T  C  Xi  x  X2X  ■  ■  ■  x  Xn  can  be  expressed  by  its  characteristic 
function,  i.e.  a  Boolean  function  f  :  Xi  x  X2  x  •  •  •  x  i->  {0, 1}  where  f{t)  =  1 
iff  t  e  T.  We  can  assume  each  Xi  domain  is  Boolean.  If  Xi  has  more  than  two 
elements  we  can  replace  it  by  [Zo5(|Xi|)]  Boolean  domains  giving  a  binary-encoding 
of  its  elements.  It  follows  then  that  next-state  relations,  predicates  describing  initial 
states,  final  states,  can  all  be  expressed  as  Boolean  functions  over  Boolean  domains. 

5.3.2  Ordered  binary  decision  diagrams 

An  ordered  binary  decision  diagram  essentially  encodes  a  Boolean  function  as  a 
binary  decision  tree  with  the  added  restriction  that  the  decisions  are  performed  in  a 
fixed  order.  In  addition,  common  subtrees  are  shared  for  efficiency,  thus  resulting  in 
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Figure  5.2:  OBDD  for  the  Boolean  function  (a:i  V  X2)  A  (xs  V  X4) 

a  directed  acyclic  graph  (DAG).  The  value  of  the  function  for  a  particular  variable 
assignment  can  be  read  by  traversing  the  tree  starting  from  the  root,  at  each  node 
branching  according  to  the  value  of  the  variable  labeling  that  node.  Figure  5.2  shows 
a  DAG  representing  f  =  (xi  V  X2)  A  (xs  V  X4).  The  variable  assignment  (xi  = 
0,X2  =  1,X3  =  1,X4  =  1)  leads  to  a  node  marked  1.  Thus  /  is  true  under  this 
variable  assignment.  Notice  that  the  value  of  X4  is  irrelevant.  The  path  followed 
symbolically  represents  the  two  variable  assignments  (xi  =  0,X2  =  1,X3  =  1,X4  =  0) 
and  (xi  =  0,X2  =  1,X3  =  1,X4  =  1). 

Canonical  form 

However  a  Boolean  function  does  not  have  a  unique  representation  as  a  DAG.  An 
OBDD  is  a  DAG  satisfying  the  additional  constraint  that  the  occurrence  of  variables 
on  every  path  from  the  root  to  a  leaf  obeys  a  given  total  order.  The  DAG  in  Figure  5.2 
is  in  fact  a  OBDD  with  variable  ordering  Xi  <  X2  <  X3  <  X4.  Bryant  showed  that  for 
any  total  order  on  the  variables,  every  Boolean  function  is  represented  by  a  unique 
OBDD  respecting  that  order.  The  advantage  of  having  such  a  canonical  form  is  that 
logical  tests  on  Boolean  functions  given  as  OBDDs  is  easy:  logical  equivalence  can 
be  determined  in  linear  time,  and  satisfiability  and  validity  can  be  tested  in  constant 
time.  For  example,  a  formula  is  valid  iff  its  OBDD  representation  is  the  same  as  that 
for  TRUE. 
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Operations  on  OBDDs 

Bryant  also  gave  efficient  algorithms  to  perform  standard  Boolean  operations  on  OB¬ 
DDs.  The  complexity  of  finding  the  OBDD  for  the  logical  AND,  OR,  or  NOT  of  two 
OBDDs  is  bounded  by  the  product  of  the  sizes  of  the  two  OBDDs.  To  compute  the 
successor  states  of  a  set  of  states,  we  need  the  additional  operation  of  quantification. 
The  existential  quantification  formula  3xi[f]  can  be  read  as  “(/  holds  when  Xi  is 
FALSE)  OR  (/  holds  when  Xi  is  TRUE)”.  We  use  Bryant’s  restriction  algorithm  for 
/l^-o  and  to  implement  3xi[f]  as  V  f\xi=i- 


Computational  issues 

The  main  advantage  of  using  OBDDs  to  represent  Boolean  functions  is  that  they  are 
often  far  smaller  than  an  explicit  truth  table  representation.  This  fact  can  lead  in 
practice  to  greatly  improved  performance  but  does  not  alter  the  exponential  worst- 
case  complexity  per  se.  Thus  the  use  of  OBDDs  is  merely  a  heuristic  to  reduce  the 
size  of  representing  a  Boolean  function.  Bryant  has  shown  that  there  is  no  variable 
ordering  that  avoids  an  exponential  representation  of  a  multiplier.  There  is  therefore 
no  guarantee  that  implementations  based  on  OBDDs  will  outperform  those  using 
explicit  data  structures.  In  the  field  of  finite-state  verification  however,  numerous 
researchers  have  already  reported  substantial  improvements  due  to  OBDDs  [CK91, 
BCM‘''90]  over  particular  problem  domains. 

Finally,  we  note  that  typically  an  OBDD’s  size  depends  crucially  on  the  chosen 
variable  ordering.  Intuitively  a  small  OBDD  will  result  when  the  function’s  value  can 
be  correctly  determined  from  the  remaining  variable  values  and  only  a  small  amount 
of  intermediate  information  about  the  variables  already  seen.  It  is  generally  desirable 
for  a  variable  ordering  to  bunch  together  variables  that  are  highly  interdependent. 
For  example,  suppose  Wi  =  {xn , . . . ,  Xin^ Wm  =  {Xmu  •  •  • ,  Xmnrr, }  is  a  partition 
of  the  variables  of  /,  and  /  =  /i  A  •  •  •  A  where  each  f  depends  only  on  variables 

in  Wi.  Let  the  size  of  the  OBDD  for  g  be  denoted  |p|.  Then  |/|  =  0(|/i|  H - 1-  |/m|) 

under  the  variable  ordering  Xn  <  •••  <  Xim  <  •••  <  Xmi  <  •••  <  Such  a 

scenario  can  arise  when  composing  loosely  coupled  components  in  a  product  system. 
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This  reduced  complexity  is  a  substantial  gain  over  an  explicit  representation  that 
would  be  exponential  in  the  number  of  components.  However  with  a  bad  choice 
of  variable  ordering,  the  OBDD  representation  could  also  be  exponential.  Hence 
some  understanding  of  the  nature  of  the  problem  is  needed  to  select  a  good  variable 
ordering.  This  thesis  does  not  explore  this  issue  or  exploit  any  of  the  advantages 
obtainable  from  clever  variable  orderings. 


Chapter  6 
Case  Studies 


We  give  some  examples  of  real-time  systems  described  as  timed  automata.  We  also 
provide  automata  for  several  timing  properties  used  as  specifications.  Throughout 
the  chapter  we  provide  hints  for  describing  various  aspects  of  timing  behavior.  We 
conclude  with  a  discussion  of  the  limitations  of  using  timed  automata  as  a  represen¬ 
tation  language.  The  performance  of  our  verifier  on  the  following  examples  can  be 
found  in  chapter  8. 


6.1  Examples 

6.1.1  Train-gate  controller 

Our  first  example  is  one  which  appears  frequently  in  the  literature:  an  automatic 
controller  which  opens  and  closes  a  gate  at  a  railway  track  intersection  [LS85,  Alu91]. 
The  system  consists  of  three  components:  a  train,  a  gate,  and  their  controller.  The 
automata  modeling  the  system’s  components  are  shown  in  Figure  6.1.  Whenever  a 
train  enters  the  intersection,  it  sends  an  approach  signal  at  least  2  seconds  in  advance 
to  the  controller.  The  controller  also  detects  the  train  leaving  the  intersection,  and 
this  event  occurs  within  5  seconds  after  it  started  its  approach.  The  gate  responds  to 
lower  and  raise  commands  by  moving  down  and  up  respectively  within  certain  time 
bounds.  The  controller  sends  a  lower  command  to  the  gate  exactly  1  second  after 
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Figure  6.1:  Automata  for  train-gate  controller  example 
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Figure  6.2:  Real-time  safety  specification 

receiving  an  approach  signal  from  the  train.  It  commands  the  gate  to  raise  within  1 
second  of  the  train’s  exit  from  the  intersection. 

We  verify  a  simple  real-time  safety  property,  namely  that  whenever  the  gate  goes 
down,  it  is  moved  back  up  within  a  certain  upper  time  bound  K.  In  other  words,  the 
gate  is  never  down  for  as  long  as  K  seconds.  See  the  Spec  automaton  in  Figure  6.2. 
It  is  deterministic  and  its  completion  is  expressed  by  the  same  automaton  with  the 
added  location  q2  which  is  marked  as  violating.  The  timing  conditions  on  the  edges 
from  Qi  to  q2  are  the  complement  of  the  existing  edges  for  each  event.  In  this  case 
they  happen  to  be  the  same  for  both  down  and  up  events.  We  do  not  need  to  add 
edges  from  q^  to  q2  since  both  events  are  already  enabled  at  all  times  in  q^.  Whenever 
the  specification  constant  is  greater  than  or  equal  to  7  the  specification  is  satisfied. 
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Figure  6.3:  Tick-Tock  protocol  block  diagram 

Prom  our  experience,  it  is  surprisingly  easy  to  specify  incorrectly  such  bounded 
liveness  properties  by  forgetting  the  transition  labeled  o;  which  indicates  the  deadline 
has  been  missed.  This  omission  will  only  catch  error  traces  where  the  gate  does  not 
go  up  within  K  time  units  and  does  go  up  or  down  sometime  later.  It  detects  events 
occurring  too  late,  but  does  not  notice  the  error  if  no  further  events  occur. 

6.1.2  Tick-Tock  protocol 

The  Tick-Tock  protocol  [LLD94]  has  been  proposed  as  a  test-bed  for  evaluating  the 
success  of  formalisms  for  specifying  real-time  systems.  The  protocol  describes  three 
processes:  a  sender,  a  receiver,  and  a  service  component.  The  service  entity  has 
been  modeled  as  timed  automata  by  Daws  et  al  [DOY94],  who  verify  the  component 
against  various  properties  expressed  in  TCTL,  a  real-time  temporal  logic.  Here  we 
show  how  some,  but  not  aU,  of  the  properties  they  verify  can  be  modeled  as  timed 
safety  automata.  Thus  in  some  cases  their  timing  verification  problems  can  be  reduced 
to  timed  safety  verification  as  outlined  in  chapter  3. 

System  description 

The  role  of  the  server  component  is  to  provide  buffered  transmission  of  data  from 
the  sender  to  the  receiver,  as  depicted  in  figure  6.3.  Communication  is  through  data 
cells  passed  one  at  a  time  through  Service  Access  Points  (SAPs).  The  sender  provides 
cells  to  the  service  at  the  SAP  referred  to  as  the  SS_SAP.  The  server  then  passes 
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them  reliably  on  to  the  receiver  at  the  SR_SAP.  The  only  way  a  cell  is  lost  is  if  the 
receiver  is  not  ready  to  receive  an  offer  from  the  server.  Here  we  do  not  model  the 
full  protocol,  where  the  service  may  also  crash.  The  behavior  of  the  server  satisfies 
the  following  timing  constraints: 

Isochronism:  The  server  offers  to  accept  cells  from  the  sender  only  at  regular 
instants,  tt  time  units  apart.  At  most  one  cell  is  received  at  any  time,  and  the 
exchange  is  considered  to  be  instantaneous. 

Transmission  delays:  The  server  always  delays  between  Tmm  and  r^ax  finae  units 
between  receiving  a  cell  at  SS_SAP  from  the  sender  and  then  delivering  the  cell 
to  an  internal  buffer. 

Spacing  between  deliveries:  There  must  be  a  time  delay  of  at  least  a  time  units 
between  deliveries. 

Immediate  acceptance:  The  server  offers  the  receiver  a  cell  at  SR-SAP  as  soon 
as  dehvery  to  its  internal  buflFer  is  completed.  If  the  receiver  does  not  accept 
the  cell,  it  is  lost. 

The  description  of  the  server  is  given  by  Daws  et  al  as  the  product  of  the  automata 
in  figure  6.4.  Note  that  the  delivery  of  each  cell  is  meant  to  take  place  as  soon  as  it 
is  enabled,  modeled  by  the  urgent  event  in  the  transmission  delay  automaton.  The 
service  may  offer  to  buffer  up  to  n  SS_SAP  cells  at  any  given  time.  This  situation  is 
modeled  by  n  diflTerent  transmission  delay  components,  each  with  events  labeled  by  a 
unique  identifier.  The  transmission  delays  are  modeled  by  the  product  of  all  the  delay 
cell  components.  However  this  process  has  events  tagged  with  an  identifier  i  signifying 
that  it  comes  from  the  i-th  delay  cell.  As  far  as  the  other  processes  are  concerned,  it  is 
irrelevant  which  cell  provides  the  buffering,  so  the  events  are  abstracted  in  the  delay 
component  before  composing  them  with  the  other  processes,  e.g.  all  DeLf  events  are 
abstracted  to  DeP. 

^Alternatively,  the  transitions  for  delivery  and  SS_SAP  events  which  occur  in  other  processes 
could  be  replicated,  one  for  each  delivery  or  SS-SAP  exchange. 


6.1.  EXAMPLES 


119 


Isochronism 


Transmission  delays  -  i-th  ceU 


Del 

w  :=  0 
A 

w  ~  0 

w  =  0 
SR_SAP 
w  :=  0 


Spacing 


Immediate  acceptance 
Figure  6.4:  Tick-Tock  service  entity 


Specification  properties 

Each  component  in  the  model  of  the  server  places  a  restriction  on  the  server’s  behav¬ 
ior.  However  it  does  not  guarantee  that  the  service  will  be  offered  in  a  timely  manner. 
For  instance  the  isochronism  requirement  states  that  SS-SAP  exchanges  may  occur 
at  most  at  regular  punctual  instances  separated  by  tt  time  units,  but  in  fact  the  server 
may  not  be  ready  to  accept  an  SS-SAP  because  transmission  may  be  delayed  while 
waiting  for  delivery  to  occur. 

Following  Daws  et  al,  we  verify  the  server  against  the  following  three  categories 
of  timing  properties. 


120 


CHAPTER  6.  CASE  STUDIES 


SS-SAP  SS.SAP 

En-SS-SAP  En_SS-SAP 


V  =  TT 


En^S^AP,  SS.SAP 


Iso-1  specification 


En.SS.SAP 

v:=0 


Figure  6.5:  Isochronism  specification  processes 


Isochronism: 

Iso-1:  Whenever  an  SS_SAP  event  is  enabled,  it  is  also  enabled  exactly  ir  time 
units  later. 

Iso-2:  Whenever  an  SS_SAP  event  is  enabled,  it  is  never  enabled  again  before 
X  time  units  have  passed. 

Transmission  delays:  After  a  successful  SS_SAP  exchange,  an  offer  at  SR_SAP 
must  occur  within  [rmin,  T^ax]  time  units. 

Spacing  between  deliveries:  Whenever  an  event  is  enabled  at  SR-SAP,  there  is 
a  delay  of  at  least  a  time  units  before  it  is  enabled  again. 

The  specifications  for  properties  Iso-1  and  Iso-2  appear  in  figure  6.5.  The  develop¬ 
ment  of  these  specification  automata  is  explained  in  more  detail  below.  Notice  that 
the  property  Iso-1  asserts  that  a  particular  event  must  occur  within  a  certain  time 
interval,  whereas  the  second  property  states  that  a  particular  event  should  not  occur. 
In  general,  properties  of  the  second  sort  are  easier  to  specify. 

Most  properties  are  assertions  about  whether  SAPs  are  enabled  in  a  timely  fashion 
or  not.  However  the  language  of  timed  automata  has  no  direct  means  of  express¬ 
ing  that  an  event  is  enabled.  We  handle  this  by  adding  additional  events,  such  as 
En_SS_SAP  which  is  enabled  in  each  component  precisely  when  SS-SAP  is  ready  for 
communication.  In  figure  6.4  this  would  result  in  self-loops  at  locations  go  labeled 
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Figure  6.6:  Isochronism  component  indicating  urgent  enabling  at  SS_SAP 


EnJSS_SAP  in  the  isochronism  process,  and  En_SS_SAPJ  in  all  the  delay  cell  pro¬ 
cesses  for  which  the  transmission  delay  product  abstracts  the  events  to  En_SS_SAP 
before  composing  with  the  other  processes.  The  conditions  on  the  En-SS_SAP  events 
match  those  for  the  SS_SAP  events.  Thus  in  testing  the  second  isochronism  speci¬ 
fication,  the  negated  property  asserts  that  a  premature  enabling  event  occurs.  See 
figure  6.5. 

Verifying  the  first  isochronism  property,  which  asserts  that  SS_SAP  can  take  place 
when  u  =  TT,  is  not  so  straightforward.  The  En_SS_SAP  event  must  be  urgent  in  the 
automaton  for  the  isochronism  property.  This  is  because  in  order  to  correctly  check 
whether  SSjSAP  really  is  enabled,  we  need  the  event  En_SS_SAP  to  occur  without 
fail  whenever  it  is.  Otherwise  SS_SAP  may  be  enabled,  with  the  En_SS_SAP  event 
enabled  but  not  occurring,  leaving  the  impression  that  time  passes  by  without  the 
event  being  enabled.  However,  we  run  into  two  difficulties.  Firstly,  an  event  may 
occur  at  precisely  the  time  En_SS_SAP  would  occur,  thereby  disabling  En_SS_SAP. 
We  circumvent  this  through  a  specification  which  checks  not  only  for  the  En_SS_SAP 
event,  but  also  for  events  which  may  explicitly  disable  it,  e.g.  the  event  SS_SAP  itself 
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may  occur  instead.  Secondly,  our  verification  tool  does  not  allow  urgent  events  to 
be  subject  to  timed  enabling  conditions,  e.g.  the  constraint  a:  =  0  in  the  isochronism 
process.  We  handle  this  shortcoming  by  introducing  additional  control  locations 
which  are  used  to  check  whether  the  urgent  event  satisfies  its  timing  condition,  as 
in  figure  6.6.  Thus  an  urgent  event  Possible_En_SS_SAP  is  allowed  to  occur  out  of 
location  regardless  of  the  value  of  the  clock  x.  The  0  upper  time  bound  on  reset 
clock  x'  at  location  test,  forces  control  to  immediately  pass  to  qo,  signaling  either  that 
the  event  truly  is  enabled  (when  a:  =  0)  or  that  this  excursion  into  the  test  location 
does  not  correspond  to  a  real  enabling  at  SS_SAP  (when  a;  >  0).  Thus  to  verify 
the  property  Iso-1  we  replace  the  isochronism  component  in  figure  6.4  with  that  of 
figure  6.6,  and  add  self-loops  on  the  delay  cells  labeled  Possible_En_SS_SAP  instead 
of  En.SS_SAP. 

Model-checking  over  TCTL  formulae  is  strictly  more  expressive  than  our  safety 
verification  paradigm.  In  particular  we  cannot  even  model  in  our  framework  the 
following  properties  which  Daws  et  al  verify: 

Isochronism: 

Iso-3:  An  SS_SAP  event  is  never  continuously  enabled  for  any  non-zero  length 
of  time. 

Immediate  acceptance:  An  offer  at  SR_SAP  is  never  continuously  enabled  for 
any  non-zero  length  of  time,  i.e.  the  offer  is  either  taken  immediately  or  lost. 

Competrison  to  Daws  et  al 

Daws  et  al  express  information  about  the  enabling  of  an  event  by  using  propositions 
stating  whether  the  event  is  enabled  within  each  participating  process.  The  event 
is  enabled  in  the  server  iff  it  is  enabled  in  each  participating  process.  They  also 
explicitly  form  the  product  of  the  individual  components,  allowing  them  to  express 
the  urgency  semantics  for  the  Deliver  event  using  a  special  clock  which  ensures  that 
once  delivery  is  enabled  it  occurs  before  any  time  can  pass.  We  prefer  to  model  such 
events  by  labeling  them  as  urgent.  This  decision  allows  processes  to  be  described  in 
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a  simple  and  modular  format.  The  correct  semantics  is  then  implemented  without  an 
added  clock  by  simply  disallowing  time  to  pass  whenever  urgent  events  are  enabled. 

Chapter  8  contains  a  comparison  of  the  performance  of  their  symbolic  verifier 
Kronos  and  our  approximation  algorithm  for  those  examples  we  can  specify  in  the 
reachability  framework. 

6.1.3  Ethernet 

We  now  briefly  describe  a  more  substantial  example:  a  timed  model  of  the  Medium 
Access  Control  (MAC)  sublayer  of  Ethernet’s  Data  Link  layer,  first  formally  specified 
by  Weinberg  and  Zuck  [WZ92].  We  refer  the  reader  to  their  work  for  a  full  descrip¬ 
tion  of  the  protocol  implemented  by  this  sublayer.  It  is  essentially  a  carrier-sense  / 
multiple-access  protocol  with  coUision-detect  (CSMA/CD),  which  sends  and  receives 
frames  between  the  Logical  Link  Layer  and  the  Physical  Layer.  A  request  to  send  a 
data  packet  causes  the  transmitter  to  listen  to  the  channel.  If  the  channel  is  not  idle  it 
waits  until  it  is,  and  then  sends  its  data  packet.  If  collision  occurs  it  is  detected,  and 
the  transmitter  sends  a  special  jam  sequence  to  alert  other  users.  It  waits  a  random 
time,  up  to  a  limit  determined  by  a  binary  exponential  backoff  algorithm,  and  then 
attempts  to  retransmit.  The  logical  link  layer  is  informed  whether  transmission  is 
successful  or  not. 

The  MAC  sublayer  consists  of  four  different  components:  a  frame  transmitter, 
a  deference  generator,  a  bit  transmitter  and  a  frame  receiver.  Communication  with 
processes  in  the  Logical  Link  Layer  above  and  the  Physical  Layer  below  occurs  through 
a  combination  of  shared  variables  and  direct  communication  channels. 

Our  modeling  of  the  MAC  sublayer  differs  from  the  description  by  Weinberg  and 
Zuck  in  the  following  ways: 

•  (data  values):  we  perform  no  data  encapsulation  of  the  raw  frames  received:  in 
fact  no  actual  data  values  are  sent. 

•  (bit  transmission):  the  bit  transmitter  is  modeled  by  signals  denoting  the  be¬ 
ginning  and  ending  of  transmission  of  the  entire  sequence  of  bits  in  a  frame. 
This  is  essentially  the  same  as  saying  all  frames  consist  of  a  single  bit. 
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•  (semantics):  timed  safety  automata  cannot  capture  the  unbounded  liveness 
properties  expressible  in  the  timed  transition  systems  used  by  Weinberg  and 
Zuck.  Our  model  therefore  includes  some  execution  traces  not  found  in  theirs. 

•  (carrier  sense/collision  detection):  the  conditions  for  setting  each  of  these  vari¬ 
ables  is  unspecified  in  [WZ92].  We  assume  that  both  the  conditions  for  carrier 
sense  and  collision  detection  may  be  become  true  at  any  time.  Furthermore, 
carrier  sense  is  always  true  while  the  sender  is  transmitting.  Whenever  the 
condition  for  a  change  of  variable  value  if  detected,  the  variable  changes  value 
after  an  appropriate  time  delay. 

•  (retransmission  delay):  we  set  a  fixed  maximal  number  of  periods  to  delay  before 
attempting  retransmission.  The  actual  delay  is  nondeterministically  chosen  as 
any  number  of  delay  periods  up  to  the  maximum. 

Our  model  includes  six  variables  (number  of  transmission  attempts,  carrier  sense, 
collision  detection,  transmitter  waiting,  deferred,  counter  measuring  time  to  wait 
before  retransmit).  There  are  six  clocks  in  the  system.  The  sizes  of  the  individual 
component  processes  are  given  below. 

Component  STA  states  STA  transitions 


Frame  Transmitter  15  19 

Deference  Generator  5  5 

Carrier  Sense  Generator  6  25 

Collision  Detection  Generator  3  3 

Bit  Transmitter  7  9 

Medium  3  6 

Frame  Receiver  3  4 


We  tested  the  protocol  with  three  timing  specifications:  two  lower  bound  proper¬ 
ties  and  a  bounded  liveness  property. 

Spec  A  :  If  the  transmitter  is  ever  deferred  before  transmitting,  then  the  total  time 
before  successful  transmission  is  at  least  12  milliseconds. 
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Spec  B  :  If  a  jam  is  sent  by  the  Frame  Transmitter,  then  at  least  12  milliseconds 
pass  before  successful  transmission  is  signaled  to  the  Logical  Link  Layer  above. 

Spec  C  :  If  there  are  no  collisions,  and  the  frame  transmitter  proceeds  past  the  point 
of  waiting  to  proceed,  then  transmission  be  successful  within  40  milliseconds. 

CSMA/CD 

We  also  test  our  verifier  on  a  simple  CSMA/CD  protocol  described  in  [NSY92a].  This 
verification  problem  consists  of  two  extremely  simplified  senders  and  the  medium. 

6.1.4  Mutual  exclusion 

A  simple  version  of  Fischer’s  mutual  exclusion  algorithm  appears  at  the  end  of  chap¬ 
ter  3.  We  also  test  our  verifier  on  Alur  and  Taubenfeld’s  fast  mutual  exclusion  al¬ 
gorithm  [AT92]  which  provides  a  process  with  quicker  access  to  its  critical  section  in 
the  absence  of  contention. 


6.2  Discussion 

While  this  thesis  focusses  on  efficiency  issues  in  timing  verification,  we  comment 
briefly  now  on  our  experience  with  specifying  verification  problems.  Although  timed 
automata  are  an  expressive  formalism,  it  is  not  straightforward  to  describe  systems 
accurately.  We  identify  three  primary  sources  of  problems  —  the  first  two  of  which 
are  generic  to  the  shared-event  automaton  model. 

Limited  syntax 

Our  definition  of  timed  safety  automata  provides  only  a  basic  syntax  which  is  quite  in¬ 
adequate  for  specifying  complex  systems.  For  instance,  there  is  no  distinction  between 
input  and  output  events  (this  may  lead  to  errors  when  a  process  is  not  receptive  of 
its  intended  inputs,  thereby  unintentionally  blocking  the  output  of  another  process). 
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Figure  6.7:  Misleading  specification 

There  is  no  event  abstraction  mechanism.  In  the  tick-tock  protocol  it  would  have 
been  helpful  for  the  timed  automaton  language  to  be  able  to  describe  how  the  events 
for  different  cells  are  abstracted  into  single  events. 

There  is  no  built-in  syntax  for  pointers,  reading  and  writing  variables,  nor  for 
indexing  arrays.  While  the  lack  of  the  above  features  is  inconvenient,  we  note  that 
suitable  syntactic  sugar  can  be  added  to  the  basic  model  to  enrich  the  formalism. 


Machine  modeling 

While  automata  models  are  often  convenient  for  small  components,  their  lack  of 
structure  can  make  more  complex  processes  difficult  to  understand.  For  example, 
looping  constructs  can  have  numerous  branching  and  entry  points.  In  the  absence 
of  liveness,  the  basic  meaning  of  a  transition  is  that  it  may  occur,  as  opposed  to 
representing  an  event  which  must  occur.  This  makes  it  difficult  to  express  clearly 
branching  points  where  one  of  several  different  choices  must  be  taken.  In  other 
words,  there  are  no  clear  equivalents  of  while  loops,  for  loops,  if  statements  and  case 
statements.  There  is  also  the  frequently  encountered  problem  of  modeling  processes 
with  automata  which  admit  too  few  runs  because  events  in  their  composition  get 
blocked.  This  cause  of  confusion  is  due  to  the  shared-events  model  of  composition. 
A  common  example  is  in  specifications  which  are  not  receptive,  e.g.  the  automaton 
in  figure  6.7  does  not  correctly  specify  that  every  A  event  is  followed  by  a  B  event 
within  K  time  units.  It  disregards  runs  where  two  A’s  followed  by  a  B  occur  in  quick 


succession. 
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Forced  events 

A  common  misunderstanding  is  that  transitions  do  not  explicitly  represent  events 
which  must  occur.  This  confusion  can  lead  to  automaton  models  which  permit  pro¬ 
cesses  to  prematurely  cease  useful  progress  by  resting  in  a  location.  For  example,  the 
safety  invariant  “a:  <  5”  must  be  placed  on  all  the  locations  qi,  q2,  and  qz  in  the  train 
component  of  figure  6.1.  It  is  easy  to  overlook  the  invariant  on  52  or  even  qi,  but  the 
invariant  on  qz  is  not  enough  to  ensure  the  automaton  loops  back  to  qo.  It  merely 
states  that  if  control  reaches  qz,  then  it  will  leave  qz  in  due  time  —  the  automaton 
may  end  up  in  qi  forever. 

Summary 

The  above  shortcomings  suggest  the  need  for  a  higher  level  language  which  enables 
direct  reference  to  variables,  arrays,  pointers,  event  abstraction,  input/output  events, 
and  clear  constructs  for  looping  and  branching.  These  are  primarily  syntactic  desider¬ 
ata.  On  the  other  hand,  timed  safety  automata  are  slightly  limited  in  expressiveness 
too.  As  shown  above,  there  are  properties  they  cannot  express,  such  as  singularity  of 
enabledness,  and  unbounded  fairness  constraints  which  would  be  helpful  in  specifying 
properties  of  the  mutual  exclusion  algorithms. 

Nevertheless  we  feel  the  array  of  problems  we  can  specify  to  be  quite  large  in 
practice,  and  the  use  of  a  verification  tool  which  supplies  useful  debugging  information 
is  very  helpful  in  getting  system  descriptions  correct.  We  found  it  critical  to  test  not 
only  that  a  protocol  is  correct,  but  also  that  suitable  changes  in  the  timing  parameters 
result  in  error  traces  —  this  strategy  helps  ensure  the  report  of  correctness  is  not 
merely  due  to  modeling  faults  which  incorrectly  rule  out  violating  traces. 


Chapter  7 

Hybrid  Systems 


Introduction 

Hybrid  automata  [MP93,  ACHH93,  AHH93,  NOSY93]  consist  of  discrete  state  com¬ 
ponents  interacting  with  continuously  changing  variables.  They  model  the  behavior 
of  programs  embedded  in  physical  systems  where  the  environment  is  changing  in 
real-time.  In  the  more  general  case,  continuous  variables  are  modeled  by  arbitrary 
differential  equations,  and  the  system’s  control  information  by  discrete  states.  An  im¬ 
portant  class  of  hybrid  automata  is  that  of  the  linear  hybrid  systems,  where  the  con¬ 
tinuous  variables  are  modeled  as  functions  whose  rates  of  changes  and  reassignments 
are  linear  terms.  Arbitrary  linear  hybrid  systems  are  undecidable,  but  a  number  of 
interesting  subclasses  have  been  found  which  are  decidable  [PV94,  MV94,  KPSY93], 
or  admit  semi-decision  procedures  [OSY94]. 

We  introduce  an  interesting  decidable  subclass  of  linear  hybrid  systems,  the  skewed 
clock  automata  (SCA),  which  we  use  to  model  processes  whose  clocks  increase  at 
variable  rates.  These  are  a  subclass  of  the  automata  with  rectangular  differential 
inclusions,  which  were  recently  independently  shown  to  be  decidable  [PV94,  HPV94]. 
An  automaton  with  rectangular  differential  inclusions  has  lower  and  upper  bounds  on 
its  clock  rates,  which  must  be  fixed  rational  numbers.  Skewed  clock  automata  add  a 
syntactic  restriction  on  where  constraints  can  be  placed  in  the  automaton,  the  query- 
reset  alternation  property.  The  subclass  is  interesting  in  that  the  proof  of  decidability 
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reduces  the  emptiness  problem  for  SCAs  to  emptiness  over  TSAs  while  preserving 
the  structure  of  the  automaton  and  the  number  of  clocks.  This  reduction  technique 
provides  a  feasible  algorithmic  method  for  safety  verification  of  SCAs.  Henzinger  et 
al’s  reduction  [HPV94]  applies  to  a  much  broader  class  of  automata  but  doubles  the 
number  of  clocks,  thereby  reducing  its  usefulness  in  practice. 

The  syntactic  restriction  we  apply  is  easily  checked.  It  is  general  enough  to  be 
applied  to  many  forms  of  automata  where  clocks  are  used  to  force  lower  and  upper 
bound  constraints  on  enablement  times.  The  alternation  property  essentially  asserts 
that  on  every  path  in  the  automaton,  for  every  clock,  there  is  either  a  reset  or  a  test 
of  equality  of  that  clock  between  any  two  queries  of  the  clock’s  value  (except  that  an 
upper  bound  query  may  follow  another  upper  bound  query  without  an  intermediate 
reset,  provided  the  second  upper  bound  is  no  greater  than  the  first). 

We  also  describe  a  case  study  of  a  timing-based  communication  protocol  due  to 
Bosscher  et  al  [BPV94].  We  verify  correctness  for  arbitrarily  length  bit  sequences. 
We  are  also  able  to  prove  messages  are  received  within  a  reasonable  time,  despite  the 
fact  that  the  statement  of  this  timing  property  uses  arbitrarily  large  constants  for 
deadlines. 

Related  work 

SCAs  are  a  subclass  of  the  automata  considered  by  Olivero  et  al  [OSY94].  They 
give  abstraction  mappings  which  preserve  emptiness  in  only  one  direction  for  VTCTL 
formulas,  and  thus  lead  to  a  semi-decision  procedure  for  their  more  general  class  of 
automata.  Our  transformation  from  SCAs  to  TSAs  is  the  same  as  theirs:  in  our  case 
we  prove  it  exactly  preserves  the  divergent  runs  in  our  automata  and  therefore  yields 
a  decision  procedure  for  emptiness.  Puri  and  Varaiya  [PV94]  prove  decidability  for 
a  class  of  linear  hybrid  automata  incomparable  to  SCAs.  They  are  not  restricted  by 
the  query-reset  alternation  property  we  require.  Their  result  is  very  general,  except 
that  their  enabling  constraints  and  rate  intervals  must  correspond  to  closed  intervals, 
whereas  we  allow  open  intervals.  Unfortunately  their  proof  of  decidability  relies  on 
discretization  of  the  continuous  space,  and  does  not  lend  itself  to  efficient  verification 
procedures.  Recently,  in  work  with  Henzinger  [HPV94],  they  have  provided  a  proof  of 
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decidability  that  translates  automata  with  rectangular  differential  inclusions  directly 
into  timed  automata,  but  with  a  doubling  in  the  number  of  clocks.  These  other 
approaches  use  a  more  general  model  of  a  hybrid  system  which  allows  for  different 
bounds  on  clock  rates  at  different  locations,  and  reassignment  of  variables  to  constants 
other  than  0.  These  extensions  could  be  incorporated  into  SCAs  but  for  simplicity 
are  not  included  here. 

Lam  and  Brayton  [LB93]  define  automata  with  a  very  similar  query-reset  alter¬ 
nation  property.  Their  property  is  even  more  restrictive  than  ours  in  that  each  clock 
may  only  be  reset  and  queried  once  in  the  entire  automaton.  However,  they  allow 
arbitrary  timing  constraints.  Their  clocks  increase  at  a  constant  rate,  and  the  query- 
reset  alternation  is  used  to  establish  a  simple  path  property^  which  reduces  verification 
to  reachability  over  paths  Avithout  loops.  Our  automata  do  not  necessarily  satisfy  the 
simple  path  property.  In  comparison,  we  use  the  alternation  property  to  show  that 
constraints  on  a  drifting  clock  can  be  mimicked  by  constraints  on  a  clock  advancing 
at  a  fixed  rate. 

Another  approach  to  verifying  hybrid  systems,  one  not  pursued  in  this  chapter,  is 
to  apply  the  approximation  algorithm  directly  to  hybrid  systems.  In  the  general  case, 
the  algorithm  is  not  guaranteed  to  terminate,  but  the  strategy  is  promising.  Indeed 
Henzinger  and  Ho  [HH94]  report  successful  use  of  applying  our  iterated  overapproxi¬ 
mations  of  subsection  2.2.2  to  linear  hybrid  systems.  They  also  use  extrapolations  to 
speed  convergence. 

7.1  Skewed  clock  automata 

A  skewed  clock  automaton  (SCA)  A  is  a  tuple  (S,  Q,  Qinit,  C,  p,  T,  Inv)  where 

1.  E  is  a  finite  set  of  events,  disjoint  from  At, 

2.  Q  is  a  finite  set  of  control  locations, 

3-  Qinit  C  (5  is  a  set  of  initial  locations, 

4.  C  =  {xi, . . . ,  Xn}  is  a  finite  set  of  clocks. 
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y>Z 

X  ~0 


Figure  7.1:  Skewed  clock  automaton  Ai 

5.  p  assigns  to  each  clock  a  non-empty  interval  of  IR  defined  by  positive  integer 
endpoints.  The  interval  p{x)  represents  the  range  of  possible  rates  of  increase 
of  X,  and  will  be  denoted  [dlx^du^]  where  dl^  and  du^  are  taken  to  be  bounds 
in  the  domain  Z  U  Z“  U  {oo}, 

6.  TCQxExSnx  A{n)  x  Q  is  a  query-reset  alternating  transition  relation, 
defined  below,  and, 

7.  Inv  e  {Q  ^  IZ). 

We  assume  without  loss  of  generality  that  each  clock  constraint  is  satisfiable. 

For  convenience  we  say  that  all  clocks  are  reset  at  the  initial  state  of  any  run. 
Before  describing  the  query-reset  alternating  property,  we  first  define  the  value  of  a 
clock  X  to  be  determined  by  a  transition  tr  whenever  its  value  on  entering  the  successor 
location  is  uniquely  determined  by  the  enabling  constraint  of  tr,  i.e.  x  is  determined 
by  tr  =  {q,  a,  (j),  a,  q')  iff  (f)  implies  x  =  A:  for  some  k.  We  assume  without  loss  of 
generality  that  whenever  a  transition  determines  a  clock’s  value,  it  also  resets  that 
clock.  We  also  assume  without  loss  of  generality  that  the  safety  invariant  on  control 
location  g  is  a  conjunct  in  the  enabling  condition  of  every  transition  out  of  q.  We  now 
define  some  notation  relating  to  queries  and  resets  along  paths.  Let  I  —  Iqi  ^1j  •  •  •  ? 
be  a  path  of  locations  and  tr  =  tri,  tr2,  .■■,trm  a  sequence  of  transitions  such  that 
tTi  leads  from  location  k  to  location  h+i.  We  define  4>i  to  be  the  enabling  constraint 
associated  with  transition  tri.  For  a  given  clock  x,  let  jR*  denote  the  index  position 
of  the  i-th  reset  of  clock  x  along  the  sequence  of  transitions,  with  Rq  set  to  0.  In 
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addition,  let  Qf  j  be  the  index  of  the  j-th  query  of  clock  x  along  tr  occurring  after  the 
f-th  reset  but  not  after  the  (i  +  l)-th  reset,  and  let  num^  be  the  number  of  queries 
of  X  between  the  i-th  and  («  +  l)-th  resets. 

Example  7.1  Consider,  for  example,  the  SCA  in  figure  7.1  and  its  path  of  locations 
9o5?i>  92)93)90)94?  sequence  of  transitions  tri,tr2,trz,tr^,trz.  Then  Rq  =  0, 
Rf  =  1,  R2  =  4,  and  Rf  =  5.  The  value  ofnum(^  is  1  with  Qo.i  =  1?  and  num^  =  2 
with  Ql  i  =  2  and  QI2  =  3,  and  numc^  =  1  vhth  ^2,1  =  5.  □ 

The  query-reset  alternating  property  states  that  for  every  path  I  of  locations  in 
the  SCA  A  and  matching  sequence  of  transitions  tr,  for  every  clock  x  and  i  >  0, 
either  num^  =  1,  whenever  it  is  defined,  or  the  last  query  between  the  i-th  and 
(i  +  l)-th  resets,  i.e.  the  constraint  (b  associated  with  transition  tro’^  ,  includes 
an  upper  bound  constraint  of  the  form  x  <b,  and  for  each  k  <  num<^,  the  query  for 
the  Qi/ih.  transition  is  an  upper  bound  of  form  x  <b'  where  b  <  b'.  Notice  that  in 
the  case  of  multiple  queries  between  resets  the  last  query  need  not  be  a  simple  upper 
bound  constraint:  it  may  be  of  arbitrary  form  as  long  as  it  implies  a  suitable  upper 
bound  on  x. 

Example  7.2  The  path  and  sequence  of  transitions  in  example  7.1  is  a  query-reset 
alternating  path.  Notice  that  whenever  a  transition  has  an  enabling  constraint  and  a 
reset,  the  query  of  the  enabling  constraint  is  considered  to  take  place  before  the  reset. 
The  path  has  alternating  queries  between  resets,  except  for  the  two  consecutive  queries 
at  transitions  tr2  and  tr^.  However  these  queries  are  permissible  since  the  first  is  an 
upper  bound  exceeding  the  second.  □ 

The  semantics  of  the  SCA  A  are  given  by  the  transition  system  it  induces,  namely 
{Sai  ‘S'o,^)  Na),  where  Sa  and  Sq^a  are  as  for  timed  safety  automata,  and  Na  =  N'gC 
UeerAe,  where  is  also  as  before.  The  time  passage  relations  N'g^  are  defined  as 

=  {((?)  x),  {q,  x'))  I  V  i  G  l..n,  (a:-  -  Xi)/6t  G  p{Xi)} 


andiV;=  yJteJR.Nk- 
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Theorem  7.3  SCAs  are  closed  under  composition. 

Proof:  The  syntactic  query-reset  alternating  path  restriction  is  preserved  when  com¬ 
posing  automata,  since  every  path  in  the  product  automaton  projects  to  a  path  in 
each  component,  and  repeating  the  same  upper  bounds  (for  a  safety  invariant  at  the 
same  component  location)  along  a  path  is  permitted.  □ 


7.2  Translation  to  timed  safety  automata 

We  define  a  transformation  function  K  which  converts  a  skewed  clock  automaton 
into  a  timed  safety  automaton.  Note  that  the  transformation  only  applies  in  the  case 
where  the  SCA  resets  a  clock  every  time  its  value  is  determined.  The  TSA  K{A)  has 
the  same  control  locations  and  transition  structure  as  A,  the  only  diflference  being 
that  its  timing  constraints  are  transformed  to  reflect  the  different  clock  rates.  For 
each  SCA  clock  x,  there  is  a  TSA  clock  x'.  Intuitively,  x'  records  the  amount  of  time 
which  has  passed  since  x  was  last  reset.  We  assume  without  loss  of  generality  that 
all  bounds  on  clock  rates  are  integer  values,  either  strict  or  non-strict. 

For  SCA  automaton  A  =  {'E,Q,QiniuC,p,T,Inv),  we  define  K{A)  to  be  the 
tuple  {E,Q,Qinit,C',T',Inv'),  where  C  consists  of  a  set  of  primed  clocks,  one  cor¬ 
responding  to  each  clock  in  C.  The  transitions  T'  are  the  set  of  transitions  K{T), 
and  Inv'  are  transformed  invariants,  both  defined  below  via  transformations  on  the 
timing  constraints.  The  transformed  constraints  K{<p)  express  the  fact  that  the  SCA 
constraint  could  be  satisfied  under  the  TSA  constraint.  For  uniformity  of  exposition, 
we  use  bounds  in  enabling  constraints.  We  use  an  extended  domain  of  bounds  which 
includes  r  and  r~  where  r  is  a  rational  value.  Division  of  bounds  is  defined  as  the  ex¬ 
pected  rational  division  with  the  result  being  a  strict  bound  whenever  either  operand 
is  strict.  The  only  exception  to  this  rule  is  that  a  non-strict  zero  bound  divided  by 
any  bound  is  always  a  nonstrict  zero  bound. 

The  transformation  for  basic  enabling  conditions  of  the  form  x  ~  6  for  a  clock  x 
and  relation  ~  in  {<,>}  is  defined  below.  The  idea  is  that  the  linearly  progressing 
TSA  clock  x'  in  K{A)  records  the  amount  of  real  global  time  since  the  last  reset 
of  X.  Let  t  be  the  amount  of  time  which  has  passed  since  x  was  last  reset.  For  a 
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0:  in  SCA  A 

Ki4>)  in  TSA  K{A) 

X  <  b 

X  >  b 

x'  <  bjdlx 

x'  >  bjdux 

Figure  7.2:  Transformation  K  on  SCA  constraints 


Ao  A  K{A) 


Figure  7.3:  Transforming  SC  As  into  TSAs 

constraint  of  the  form  x  <  &  to  be  satisfied  in  the  SCA,  we  know  that  at  most  “6/  dk” 
time  has  passed  from  the  time  of  x’s  last  reset,  since  x  <  b  and  t  •  dl^  <  x  implies 
t-  dlx  <b  which  is  equivalent  tot  <b/dlx-  Because  the  time  since  x  was  last  reset  is 
measured  by  clock  x',  we  replace  the  constraint  x  <  bin  the  SCA  A  with  x'  <  b/dl^ 
in  the  TSA  K{A).  A  similar  analysis  for  lower  bounds  leads  to  the  translation  table 
for  constraints  shown  in  figure  7.2.  The  transformation  extends  to  conjunctions  as 
K{<pi  A  </»2)  =  K{(pi)  A  K{(f)2).  We  define  K{{q,a,^,a,(f))  =  {q,a,K(<j)),a',q')  where 
a'  resets  the  primed  versions  of  all  clocks  reset  by  a,  and  K{T)  =  {K{tr)  \  tr  £  T}. 
Finally,  we  define  Inv'  such  that  Inv'{q)  =  K{Inv{q))  for  every  location  q. 

Example  7.4  The  SCA  Aq  in  figure  7.3  does  not  reset  x  after  determining  its  value 
along  the  transition  from  qo  to  qi,  so  we  cannot  apply  the  transformation  directly 
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to  Aq.  The  SCA  A  accepts  the  same  language  as  Aq  and  avoids  this  problem.  The 
rate  of  increase  of  x  lies  in  the  interval  [1,2).  We  apply  the  K  transformation  to  A 
yielding  the  TSA  K{A)  shown  in  the  figure.  Notice  that  the  transition  from  q'q  to  qi 
has  enabling  condition  x'  =  0  derived  from  0  <  x'  <  0  resulting  from  the  non-strict  0 
lower  hound  obtained  by  dividing  0  fey  2“ .  □ 


Theorem  7.5  A  skewed  clock  automaton  A  has  an  empty  language  iff  the  timed 
safety  automaton  K{A)  has  an  empty  language. 

Proof:  The  proof  of  correctness  shows  that  nonemptiness  is  preserved,  i.e.  a  run  in 
the  TSA  K{A)  implies  a  run  in  the  SCA  A  and  vice  versa. 

SCA  non-empty  implies  TSA  non-empty 

We  first  prove  the  simpler  direction,  namely  that  a  run  in  the  SCA  A  has  a 
matching  run  in  the  TSA  K{A).  The  time  in  K{A)  represents  the  real  time.  Given 
a  run  in  the  SCA  A, 

€2  €2  €3 

So  Si  S2  - 

let  ti  =  'Ej<idur{ej).  We  refer  to  the  transition  which  takes  place  from  state  Si  as 
tfi+i,  and  let  denote  K{triJ^i).  The  location  of  Si  is  referred  to  as  g,-.  The  run 


/  ei  /  €2^  /  63 


in  the  TSA  is  obtained  as  follows.  The  control  location  at  s\  is  Qi.  Let  Xj,  be  the  value 
of  clock  X  at  state  s'j^,  which  we  set  as  x'^  =  x'^_i  +tk  —  tjb-i  if  tfi  does  not  reset  clock 
X,  and  x'k  =  0  otherwise. 

It  is  easy  to  see  that  the  timed-states  along  the  run  are  reset  appropriately,  and 
advance  correctly  for  time-passage  events.  Thus  we  need  only  check  that  all  queries 
in  K{A)  are  satisfied  along  the  run.  Consider  a  query  of  x'  along  the  run  at  transition 
tri+i  out  of  state  sj.  Suppose  the  most  recent  reset  of  x'  occurred  at  transition  tr'^ 
into  state  5^.  Then  the  value  of  x'  at  s'  is  Xi  =  ti  —  U,  since  resets  of  x'  match  those 
of  X.  If  tr'i^i  has  a  constraint  of  form  x'  <  fe'  in  K{A),  then  tri+i  has  a  constraint  of 
form  X  <  fe  such  that  b/dlx  =  fe'-  By  the  lower  bound  on  the  rate  of  progress  of  x,  and 
the  fact  that  x  satisfies  its  constraint  in  tfj+i  at  s,-,  we  have  that  (U  —  U)  •  dlx  <  x  <  b, 
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which  implies  that  {U  —  U)  <  b/dlx  =  b'.  Since  x'^  =  U  —  U,  it  follows  that  a;-  <  as 
required.  The  argument  for  lower  bounding  constraints  is  similar. 


TSA  non-empty  implies  SCA  non-empty 

We  construct  a  matching  run  in  A  for  every  run  in  K{A).  Analogous  to  the  above 
argument,  we  use  the  values  of  the  clocks  in  the  given  run  to  provide  clock  values 
for  the  constructed  run.  We  then  show  that  the  corresponding  skewed  clocks  satisfy 
their  timing  constraints  because  their  mapped  clocks  x'  in  K{A)  do. 

Consider  a  run 

J  J  ^2  J 

^0  ^2  ^  * 

in  the  TSA  K{A).  Suppose  t'i  =  Tij<idur{e'j).  We  claim  that 


is  a  run  in  A  if  =  (9]^,  rcl )  with  control  location  and  transitions  matching  those  of 
the  TSA’s  run  and  the  values  of  each  £k  determined  below. 

The  value  of  each  clock  x  is  assigned  independently  of  the  other  clocks.  Let 
Rf,  num(^,  and  be  defined  for  the  run  as  in  the  definition  of  the  query-reset 
alternating  path  property,  i.e.  is  the  index  position  of  the  i-th  reset  of  x,  num(^  is 
the  number  of  queries  between  the  f-th  and  (i  +  l)-th  resets,  and  for  1  <  y  <  num^, 
Qi  j  the  index  position  of  the  y-th  query  of  x  after  its  i-th  reset.  Clearly  Xk  should 
be  assigned  the  value  0  whenever  k  =  for  some  i.  We  need  to  define  Xk  between 
resets,  i.e.  for  Rf  <  k  <  Rf+i-  To  do  so,  we  use  the  last  query  of  x  before  the  (i+ l)-th 
reset,  i.e.  the  query  at  the  transition  out  of  the  (Q^num^  “  state,  to 

choose  a  linear  rate  of  progress  between  the  -th  and  iJf^j-th  states.  We  will  then 
show  that  for  all  1  <  y  <  numqf  the  queries  at  the  {Qf  j  —  l)-th  states  are  satisfied. 

First  we  choose  an  appropriate  rate  of  progress  A  which  guarantees  the  enabling 
constraint  4>  at  the  ~  1)'^^  state  is  satisfied.  For  notational  convenience,  we 

fix  M  =  —  1),  and  let  the  enabling  constraint  of  be  (p',  i.e.  K{(p)  =  <f>'. 

Let  the  value  of  x'  at  be  v. 

•  If  V  0  and  4/  includes  an  upper  bound  constraint  of  the  form  x'  <  b'  in  the 
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SC  A  K{A)  derived  from  the  constraint  a;  <  6  in  A,  we  require  A  to  lie  in  the 
range  [dlx,b/v] 

•  If  V  ^  0  and  <(>'  includes  a  lower  bound  constraint  of  the  form  x'  >  h'  in  the 
SCA  K{A)  derived  from  the  constraint  a;  >  fe  in  A,  we  require  A  to  lie  in  the 
range  [6/u,  du*] 

We  need  to  show  that  there  is  a  A  €  p{x)  satisfying  the  above  constraints.  We  do 
this  in  two  steps:  first  showing  each  interval  above  is  non-empty,  and  then  showing 
they  must  overlap.  For  non-emptiness,  the  case  where  u  =  0  is  obvious,  so  suppose 
u  >  0.  Consider  the  restriction  implied  by  an  upper  bound  constraint.  Since  the 
value  of  x'  at  satisfies  the  constraint  </>',  it  follows  that  x'^  =  v  <  h'  =  h/dlx- 
Hence  dl^  <  hjv  since  both  v  and  dl^  are  non-negative.  For  lower  bound  constraints 
we  have  that  b/ du^  =  b'  <  x'^^  =  u,  and  hence  bfv  <  dUx- 

To  see  that  the  intervals  overlap,  first  observe  that  0  is  satisfiable  by  assumption 
on  the  structure  of  SCAs  .  Therefore  when  it  contains  constraints  bi  <  x  and  x  <  62 
it  must  be  that  bi  :<  62  with  bi  /  62  unless  both  represent  non-strict  bounds,  and 
hence  bi/v  ■<  b2/v.  Because  dlx  dUx,  all  interval  restrictions  of  form  [dlx-,b2/v] 
and  [bi/v,  dUx]  overlap  as  required.  Thus  for  each  i,  we  may  fix  a  rate  Aj  within  the 
prescribed  ranges. 

We  are  now  ready  to  give  the  explicit  values  of  the  clock  variable  x  over  the 
intervals  between  resets,  namely,  for  all  i  we  set  Xk  =  Ai.{tk  -  ti{^)  for  all  Rf  <  k  < 

RUv 

We  need  to  show  that  all  queries  are  satisfied.  Consider  a  query  <p  at  state  Sk- 
Then  k  =  Q^j  —  1  for  some  i  and  j.  We  examine  two  cases. 

Case  1:  j  =  numc^. 

Then  the  query  is  the  last  before  the  (z  -h  l)-th  reset.  Let  the  time  elapsed  since 
that  reset  be  u  =  4  .  The  value  A^  has  been  chosen  so  that  for  every  upper 

bound  constraint  x  <  62  in  <p,  A,  6  [dlx,  ^2/^]  if  u  >  0  and  [dlx,  dUx]  otherwise. 
In  either  case,  x*  =  Aj  •  (4  -  )  <  62- 

The  argument  for  lower  bound  constraints  is  similar. 
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Case  2:  j  <  num^. 

By  the  query-reset  alternating  property,  ^’s  constraint  on  the  clock  x  must  be 
of  the  form  x  <  b  where  the  num^-th.  constraint  ^2  after  the  i-th  reset  has  a 
constraint  of  form  a;  <  62  for  some  62  <  b.  Since,  by  case  1  above,  02  is  satisfied, 
we  know  that  Xk  <  xm  <  b2  <  b:  in  other  words,  since  the  value  of  x  at  this 
later  query  does  not  exceed  62,  its  no  greater  value  at  Sk  cannot  exceed  the 
higher  bound  b. 

Thus  all  timing  constraints  are  satisfied  and  K{A)  non-empty  impUes  A  non¬ 
empty.  □ 

Notice  that  the  above  result  also  holds  for  SCAs  augmented  with  urgent  transi¬ 
tions.  Such  transitions  can  be  encoded  using  an  auxiliary  clock  x  being  reset  on  entry 
into  every  location  where  any  urgent  events  are  enabled,  and  having  invariant  x  <  0 
at  all  such  locations. 


7.3  Case  study:  Manchester  bit  encoding 

We  describe  how  a  timing-based  communication  protocol  using  Manchester  encod¬ 
ing  [BPV94]  can  be  verified  using  skewed  clock  automata.  The  protocol  forms  a  small 
part  of  a  real  audio  control  protocol  under  development  by  Philips.  Bits  are  encoded 
based  on  timing  delays  between  signals,  and  the  rates  of  both  the  sender’s  and  re¬ 
ceiver’s  clocks  vary  within  a  given  tolerance.  The  algorithm  is  due  to  Bosscher  et 
al  [BPV94]  who  model  the  protocol  using  a  general  model  of  linear  hybrid  systems, 
and  verify  its  correctness  using  simulation- based  proof  rules.  They  also  provide  a 
counterexample  when  the  timing  constraints  are  not  appropriately  met.  We  model 
the  protocol  with  skewed  clock  automata,  and  specify  its  correctness  by  adding  vio¬ 
lation  states  which  should  not  be  reachable.  It  is  then  manually  converted  to  a  timed 
safety  automaton  representation,  and  then  automatically  verified  using  our  approx¬ 
imation  algorithm.  We  verify  two  properties:  correctness  of  the  bit  stream  that  is 
received,  and  timeliness  of  the  output. 
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Figure  7.4:  Timing  diagram  for  Manchester  encoding  of  10100 

7.3.1  Protocol  description 

Bit  streams  are  communicated  using  Manchester  encoding.  See  figure  7.4  for  the 
encoding  of  10100.  The  voltage  on  the  communication  bus  is  either  high  or  low.  A  0 
bit  is  sent  as  a  down  signal  from  high  voltage  to  low,  and  a  1  bit  as  an  up  signal  from 
low  to  high.  The  time  line  is  divided  into  equal  length  time  slots,  and  the  signals  are 
sent  in  the  middle  of  each  time  slot.  In  order  to  send  a  repeated  bit,  there  must  be  an 
intermediate  change  in  voltage,  and  this  occurs  at  the  edge  of  the  time  slot  as  shown 
in  the  diagram  for  the  last  two  bits. 

Bosscher  et  al  [BPV94]  report  a  number  of  complications  in  the  algorithm  used 
by  Philips,  partly  due  to  the  fact  that  there  is  a  ±5%  tolerance  in  the  clock  rates  of 
the  sending  and  receiving  components. 

1.  The  receiver  does  not  know  when  the  first  time  slot  begins,  although  it  does 
know  the  agreed  upon  width  of  the  slots.  The  sender  and  receiver  synchronize 
the  start  of  transmission  by  requiring  a  low  voltage  whenever  no  bits  are  being 
sent,  and  starting  all  bit  streams  with  a  1. 

2.  The  receiver  is  not  explicitly  told  the  length  of  the  message  being  sent.  It  must 
infer  the  bit  stream  is  complete  after  a  suitable  lapse  in  receiving  bits. 

3.  Drops  in  voltage  are  not  instantaneous,  and  cannot  be  reliably  detected.  There¬ 
fore,  the  receiver  must  decode  the  message  based  solely  on  upgoing  signals.  Be¬ 
cause  the  downgoing  edge  of  a  final  0  bit  is  not  seen,  this  would  create  ambiguity 
between  messages  ending  in  10  and  in  1.  This  problem  is  solved  by  restricting 
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Figure  7.5:  Overview  of  processes 


bit  streams  to  be  either  odd  in  length,  or  ending  in  00. 

4.  Message  collisions  may  occur  due  to  several  components  sending  at  the  same 
time. 

5.  There  may  be  significant  delays  in  communication  over  the  bus. 

The  algorithm  considered  here  ignores  the  last  two  difficulties,  i.e.  we  assume  there 
is  a  single  sender  and  a  single  receiver  and  each  upgoing  signal  is  seen  instantaneously 
by  the  receiver.  We  verify  for  arbitrary  length  bit  streams  that  the  receiver  correctly 
receives  all  bits,  and  realizes  the  bit  stream  has  finished  in  a  timely  fashion. 

The  sender  and  receiver  have  the  same  clock  error  tolerance  of  ±T%.  The  receiver 
interprets  the  up  signals  by  rounding  the  times  they  are  received  to  the  nearest  time 
it  expects  them  to  be  sent,  i.e.  to  the  slot  edges  or  to  the  middle  of  a  time  slot, 
whichever  is  closer.  We  use  the  constant  Q  to  denote  1/4  the  length  of  the  bit  slot. 

The  protocol  is  modeled  using  two  primary  components,  the  sender  and  the  re¬ 
ceiver,  and  a  number  of  auxiliary  processes  for  the  stream  of  bits,  pointers  into  the 
stream,  and  processes  coordinating  the  reading  of  bit  values  and  generation  of  the 
nondeterministic  bit  sequences.  The  overall  structure  of  the  system  is  shown  in  fig¬ 
ure  7.5. 
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7.3.2  Modeling  arbitrary  length  bit  streams 

We  briefly  indicate  how  we  model  arbitrary  length  bit  streams.  SCAs  have  only 
finite  control  structure,  so  they  cannot  store  the  value  of  an  arbitrarily  long  input  bit 
stream,  model  the  message  being  sent  and  received,  and  then  compare  the  received 
message  with  the  input. 

Generating  bit  sequences 

Instead,  we  generate  the  bits  to  be  sent  on-the-fly,  and  compare  each  received  bit 
with  its  intended  value  as  it  is  received.  Each  correctly  received  bit  may  then  be 
discarded.  This  is  modeled  by  the  reuse  of  bit  values.  The  protocol  is  such  that  we 
need  only  store  a  small  number  of  the  most  recent  bits:  this  is  because  the  receiver 
can  never  get  too  far  “behind”  the  sender  in  acknowledging  bits  sent. 

We  store  the  most  recent  bit  values  as  a  list  of  separate  processes,  one  per  bit.  Bit 
values  are  either  0, 1,  or  null.  A  null  bit  indicates  the  end  of  the  list.  Both  the  sender 
and  receiver  maintain  pointers  into  the  list.  Each  time  the  sender  reads  another  bit 
to  send  it  advances  its  pointer  into  the  bit  list  and,  if  necessary,  the  next  bit  value(s) 
to  send  is  also  nondeterministically  chosen.  Care  is  taken  to  ensure  that  the  resulting 
bit  stream  is  legal,  i.e.  bit  streams  are  either  odd  in  length  or  end  in  00.  Whenever 
termination  is  chosen,  the  values  0,  0,  and  null  are  selected  for  the  next  three  bits  if  an 
even  number  of  bits  have  already  been  sent,  and  the  value  null  is  selected  otherwise. 
Since  the  receiver  is  sometimes  two  bits  “behind”  the  sender,  we  need  to  store  the 
last  5  bit  values.  However  for  simplicity  of  description,  we  choose  to  model  an  even 
number  of  bits  in  order  to  maintain  the  parity  of  bits,  and  hence  store  6  bit  values. 
In  addition  the  first  bit  is  treated  separately  since  it  must  always  be  1. 

Verifying  timing  properties 

Bosscher  et  al  prove  the  timing  property  that  the  bit  stream  is  output  by  the 
receiver  within  (4m  +  5)<5/(l  —  T)  time  units,  where  m  is  the  length  of  the  message. 
We  are  also  able  to  automatically  verify  this  property,  despite  the  fact  that  it  appears 
to  be  described  by  a  timing  constraint  on  a  clock  that  must  increase  without  bound. 
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Figure  7.6:  Timing  specification 


We  achieve  this  by  proving  a  stronger  property,  namely  that  whenever  the  sender 
reads  a  bit  to  send,  either  the  next  bit  to  be  sent  is  read  within  4Q/{1  —  T)  time 
units,  or  the  bit  stream  is  output  within  5Q/(1  —  T).  This  property  implies  that  the 
output  takes  place  within  the  desired  time,  since  the  deadline  for  output  is  delayed 
by  at  most  4QI{1-T)  time  units  for  every  bit  sent.  This  localized  property  can  be 
encoded  in  the  timed  automaton  of  figure  7.6  using  fixed  time  bounds,  and  therefore 
used  as  input  to  our  verifier. 

7.3.3  Sender 

Figure  7.7  shows  the  SCA  for  the  sending  process.  The  sender  starts  execution  as 
soon  as  it  receives  the  list  input  signal.  During  transmission  it  looks  ahead  at  the 
next  bit  value,  and  decides  whether  it  needs  to  perform  an  intermediate  transition 
before  sending  the  bit  signal  in  the  middle  of  the  time  slot.  Thus  the  sender  must 
keep  track  of  the  current  voltage  value.  After  transmitting  each  signal,  the  sender 
immediately  increments  Send-Head,  its  pointer  into  the  bit  stream,  reads  the  next  bit 
to  send,  if  any,  and  decides  how  long  to  wait  until  its  next  signal.  Timing  constraints 
are  correctly  maintained  by  the  skewed  clock  x  which  is  reset  each  time  there  is  a 
voltage  change.  It  is  relatively  straightforward  to  see  that  the  query-reset  alternating 
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Figure  7.7:  Sender 

voltage  change.  It  is  relatively  straightforward  to  see  that  the  query-reset  alternating 
property  holds.  The  processes  for  reading  and  generating  the  bit  sequences  appear  in 
figures  7.8  and  7.9,  and  are  explained  in  more  detail  below. 

Reading  pointer  values 

Our  automata  have  no  explicit  means  of  managing  pointers.  Thus  to  determine 
whether  the  “next”  bit  has  value  0,  1  or  null,  we  cannot  refer  directly  to  the  bit 
pointed  to  by  Send-Head.  We  model  this  by  enumerating  the  possible  values  of  the 
head  pointer  and  the  bit  values  and  creating  separate  events  for  each  combination. 
However,  listing  the  result  of  each  possible  combination  in  the  sender  process  would 
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next  is  null 


head  is  4  bit  is  0 
head  is  5  bit  is  0 


head 


head  is  4  bit  is  1 
head  is  5  bit  is  1 


Figure  7.8:  Process  monitoring  reading  head  of  bit  stream 


clutter  its  description.  So  for  clarity  we  choose  instead  to  use  a  separate  process 
Read-Bits,  depicted  in  figure  7.8,  which  keeps  track  of  the  current  value  of  the  next 
bit.  From  its  unknown  state,  it  immediately  determines  the  value  of  the  next  bit,  as 
described  above,  and  enters  either  head-0,  head-1,  or  head-null.  From  these  locations, 
it  can  freely  allow  the  sender  to  read  the  head  value.  Because  we  want  the  process  to 
be  ready  for  the  sender  to  read  the  next  bit  value  at  any  time,  we  force  control  to  leave 
the  unknown  location  as  soon  as  possible  by  making  its  outgoing  transitions  urgent^. 
Whenever  an  event  occurs  which  may  alter  the  value  pointed  to  by  the  SendLHead,  the 
Read-Bits  process  reenters  its  unknown  location.  We  note  that  an  extended  syntax 
for  timed  automata  would  eliminate  the  need  for  the  Read-Bits  process,  e.g.  allowing 
abstraction  of  events,  or  pointer  values.  In  any  case,  the  description  we  give  matches 
exactly  the  input  for  the  current  implementation  of  our  verifier. 


^It  is  straightforward  to  augment  the  definition  of  SCAs  and  the  iiT-transformation  with  urgent 
events,  while  maintaining  reducibility  to  TSAs. 
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Head  is  first  bit  is  0  Head  is  1  bit  is  0  Head  is  2  bit  is  0  Head  is  0  bit  is  0 

Head  is  first  bit  is  1  Head  is  1  bit  is  1  Head  is  2  bit  is  1  Head  is  0  bit  is  1 

Head  is  first  bit  is  null  Head  is  1  bit  is  null  Head  is  2  bit  is  null  Head  is  0  bit  is  null 


Sender  head 


choose_bit  J  cant  choose 


Process  monitoring  termination 


Figure  7.9:  Processes  for  generating  and  reading  bits 


Generating  the  bit  sequence 

As  mentioned  above,  bit  values  are  dynamically  chosen  each  time  the  sender  incre¬ 
ments  its  pointer  into  the  list  of  bits.  The  bit  sequence  may  increase  in  length  by 
choosing  a  0  or  1  value.  Alternatively,  it  may  nondeterministically  choose  to  ter¬ 
minate.  However  we  must  be  careful  to  ensure  that  only  valid  bit  sequences  are 
generated.  If  an  odd  number  of  bits  has  been  sent  already,  the  next  bit  takes  value 
null.  If  an  even  number  of  bits  have  been  sent,  we  append  00  to  the  bit  sequence, 
and  so  the  next  3  bits  are  affected,  taking  values  0,  0  and  null,  respectively.  In  this 
way,  all  valid  bit  sequences  may  be  nondeterministically  generated.  In  addition,  the 
system  uses  a  process  monitoring  termination  which  keeps  track  of  whether  the  Ust 
has  terminated.  This  is  necessary  in  order  to  ensure  the  trailing  0,  0,  null  sequence 
of  bits  for  an  even  length  sequence  are  not  mistakenly  overwritten  with  new  values. 
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7.3.4  Receiver 

The  process  modeling  the  receiver  appears  in  figure  7.10.  Depending  on  the  last 
bit  received,  and  the  delay  between  the  upgoing  signals  it  detects,  it  infers  which 
bit  values  are  being  sent.  The  receiver  is  in  two  basic  modes,  depending  on  the  last 
bit  received.  For  each  mode,  there  is  a  waiting  location  (lasLO  and  lasLl),  where  it 
passively  rests  until  it  detects  an  up  signal.  The  process  then  decides  which  bits  to 
“add”  to  its  bit  stream.  After  adding  the  bits,  it  uses  urgent  events  to  return  to  the 
appropriate  waiting  location.  The  list  is  output,  if,  however,  an  up  signal  does  not 
appear  within  a  reasonable  time,  i.e.  within  7Q  time  units  after  the  last  signal  if  the 
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Ack  first  is  1 
Prev  even 


Ack  1  is  null 
Ack  1  is  0 
Ack  1  is  1 
Prev  not  even 


Ack  2  is  null 
Ack  2  is  0 
Ack  2  is  1 
Prev  even 


Ack  5  is  null 
Ack  5  is  0 
Ack  5  is  1 
Prev  not  even 


Ack  0  is  null 
Ack  0  is  0 
Ack  0  is  1 
Prev  even 


Receiver  head 

Figure  7.11:  Receiver  head  of  list  pointer 


signal  indicating  the  last  bit  was  0,  and  within  9Q  if  the  last  signal  caused  the  last 
bit  added  to  be  1.  At  this  point,  a  trailing  0  bit  may  be  added  to  the  list,  depending 
on  the  value  of  the  last  bit  received,  and  whether  the  sequence  received  so  far  is  odd 
or  even  in  length. 

The  addition  of  violation  states,  marked  as  nodes  labeled  with  an  X,  to  the  re¬ 
ceiving  process  enables  it  to  serve  as  the  specification  for  the  correct  reception  of  all 
bits.  Whenever  this  process  does  not  correctly  receive  bits,  or  notice  the  end  of  the 
bit  sequence,  a  violation  is  flagged. 

The  details  of  how  the  monitoring  works  is  similar  to  the  modeling  of  the  sender. 
The  variable  recJiead  indexes  the  stream  of  bits,  pointing  to  the  next  bit  which  should 
be  received.  When  the  receiver  decides  to  add  bits  to  the  sequence  it  receives,  the 
process  actually  attempts  to  acknowledge  that  these  are  the  correct  bits  in  the  chosen 
bit  stream.  If  it  cannot  acknowledge  the  correct  bits,  it  enters  the  failure  location. 
Again  urgent  events  are  used  to  ensure  the  tests  for  acknowledgement  all  happen 
without  time  passing,  and  control  returns  to  one  of  the  waiting  locations. 

For  completeness,  figures  7.11,  7.12,  and  7.13  show  the  automata  for  the  remaining 
processes:  the  receiver’s  pointer  into  the  list  of  bits,  the  individual  bits  with  their 
response  to  terminating  the  bit  sequence,  and  the  acknowledgement  mechanism  for 
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head  is  i  bit  is  0  head  is  i  bit  is  1 

Ack  i  is  0  Ack  i  is  1 


Bit-i  (i=2k) 


head  is  i  bit  is  0  head  is  i  bit  is  1 


Bit-i  (i=2k-H) 

Figure  7.12:  Bit  processes 


abstracting  events  for  the  acknowledgement  of  bits  depending  on  the  value  of  the 
receiver’s  pointer. 
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Ack  2  is  0  jjjj.  jgg  Ack  2  is  1 
Ack  3  is  0  head  3  is  1 

Ack  4  is  0  Ack  4  is  1 

Ack  5  is  0  Ack  5  is  1 

Figure  7.13:  Process  coordinating  acknowledgements 


Chapter  8 

Implementation  and  Results 


The  approximation  algorithm  for  verifying  real-time  systems  has  been  implemented 
and  tested  on  several  examples.  For  the  more  challenging  verification  problems,  it 
outperforms  other  symbolic  verification  algorithms  we  have  implemented,  as  well  as 
Kronos,  a  symbolic  model-checker  developed  elsewhere. 


8.1  Implementation 

Two  forms  of  the  algorithm  -  approximating  only  timing  information,  and  approx¬ 
imating  over  both  timing  information  and  the  control  locations  -  have  been  imple¬ 
mented.  Time  zones  are  represented  by  DBMs,  and  sets  of  locations  by  ordered  binary 
decision  diagrams  (OBDDs).  Unless  otherwise  stated,  the  following  discussion  applies 
to  the  algorithm  where  control  information  is  also  represented  symbolically. 

The  verification  problem  input  is  first  preprocessed,  and  then  relevant  system 
parameters,  such  as  the  number  of  clocks  in  the  system,  are  used  in  the  compilation 
into  executable  code.  In  theory,  the  algorithm  always  terminates,  but  in  practice  it 
is  of  course  limited  by  both  time,  and  more  importantly,  space.  If  the  program  has 
the  resources  to  terminate  successfully,  it  indicates  whether  the  system  is  correct  or 
not.  If  the  system  contains  a  violation,  a  violating  pseudo-trace  is  generated. 
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8.1.1  Input 

The  input  consists  of  an  event-based  modular  description  of  a  system  and  its  speci¬ 
fication.  It  also  provides  the  user  a  simple  means  of  specifying  the  initial  separating 
structure. 


Problem  description 

Each  system  component  is  a  timed  safety  automaton.  A  global  automaton  for  the 
system  is  the  composition  of  automata  for  each  component.  Each  component  au¬ 
tomaton  is  described  by  its  set  of  locations,  event  alphabet,  initial  location,  and  a 
listing  of  transitions.  Components  synchronize  their  actions  through  shared  events. 
Associated  with  each  component  is  an  alphabet  of  event  symbols,  and  an  event  can 
occur  provided  it  is  enabled  in  every  component  automaton  whose  alphabet  includes 
the  event. 

The  specification  is  also  given  as  a  timed  safety  automaton,  and  is  included  in  the 
input  as  a  special  component.  Its  violating  locations  are  labeled. 


Initial  partitioning 

The  user  may  specify  the  initial  separating  structure.  It  must  be  given  as  a  partition 
of  the  timed  state-space  which  is  determined  by  each  process’s  control  locations. 
The  user  partitions  the  control  locations  within  each  component  process,  thereby 
partitioning  the  state-space  such  that  two  timed-states  are  in  the  same  separating 
class  precisely  when  their  control  locations  are  in  the  same  block  of  the  partitioning 
for  every  process  component.  In  other  words,  given  blocks  {Xj}  as  a  partition  of  the 
control  locations  Q*  of  process  i,  {q,  x)  is  in  the  same  separating  class  as  {q\  x') 
if  and  only  if  for  all  i  both  {q)i  and  {q')i  are  in  the  same  We  require  that 
the  partitioning  respect  y,  and  hence  the  specification  process  must  have  its  control 
locations  partitioned  with  all  blocks  either  containing  only  violating  locations,  or 
containing  no  violating  locations. 
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8.1.2  Implement  at  ional  variations 

We  explain  here  how  the  algorithm  implemented  departs  from  the  algorithm  described 
in  chapter  5.  The  reader  may  safely  choose  to  skip  this  section  without  losing  any 
understanding  of  the  rest  of  the  chapter. 

The  algorithm  has  been  modified  for  the  implementation  in  the  following  ways, 
none  of  which  affect  the  correctness  nor  termination  properties: 

1.  separating  structures  are  refined  on-the-fly:  a  separating  structure  may  be  re¬ 
fined  during  a  traversal,  not  just  after  a  traversal  is  complete.  This  change 
is  the  most  significant  variation  from  the  algorithm  described  in  the  previous 
chapters.  The  idea  is  that  if  it  can  be  detected  that  a  class  should  be  split  at 
some  later  point,  such  as  after  the  traversal,  it  might  as  well  be  split  in  the  mid¬ 
dle  of  the  traversal.  This  anticipated  split  refines  the  approximation  right  away 
rather  than  waiting  until  the  next  set  of  traversals.  However,  to  avoid  excessive 
splitting  in  the  middle  of  a  traversal,  a  limit  is  imposed  on  the  number  of  times 
a  block  may  be  predictively  split  in  this  way. 

In  our  implementation,  such  predictive  splits  are  designed  to  decrease  the  over¬ 
approximation.  As  before,  classes  axe  split  according  to  their  control  locations. 
A  class  may  be  split  if  doing  so  enables  a  finer  approximation  which  avoids 
some  states  in  the  reverse  direction’s  underapproximation  which  would  other¬ 
wise  have  been  included.  The  particular  rule  implemented  attempts  to  split  a 
class  so  that  the  time-passage  events  are  more  accurately  approximated.  The 
reason  for  this  is  that  the  next-state  relations  are  only  approximate  over  time- 
passage  events,  so  a  great  deal  of  inaccuracy  can  potentially  be  introduced  in 
the  computation  of  time  successors.  The  heuristic  we  use  anticipates  such  prob¬ 
lems  and  allows  a  more  accurate  calculation  of  time  successors  when  it  appears 
the  approximation  is  too  crude.  More  specifically,  if  the  approximating  set  A 
is  disjoint  from  the  reverse  direction’s  underapproximation  Opp-U^  and  Ns{A) 
is  not,  the  set  A  may  be  split  by  control  locations  into  Ai  and  A2  if  either  or 
both  of  Ns{Ai)  and  Ns{A2)  is  disjoint  from  Opp-U.  This  split  is  brought  into 
effect  by  splitting  the  separating  class  containing  A  in  the  appropriate  manner. 
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2.  Identical  classes  may  be  repeated  in  a  separating  structure.  Theoretically,  re¬ 
peated  sets  may  not  occur  in  a  separating  structure:  the  definition  of  a  separat¬ 
ing  structure  requires  that  each  class  be  distinct.  However  we  choose  to  allow 
repeated  sets  rather  than  performing  a  potentially  expensive  check  to  remove 
all  redundant  sets. 

3.  Disjuncts  are  combined:  transitions  which  share  the  same  timing  information 
are  combined  into  a  single  disjunct  in  the  next-state  relation  regardless  of  the 
symbol  they  are  labeled  by.  This  strategy  allows  a  more  compact  system  de¬ 
scription,  and  avoids  repeatedly  analyzing  the  same  timing  conditions.  We 
found  this  strategy  to  be  essential  when  analyzing  larger  systems,  since  many 
disjuncts  do  indeed  share  the  same  timing  constraints.  In  some  cases,  systems 
with  over  400  transitions  are  reducible  to  only  20  distinct  disjuncts. 

4.  Sphtting  occurs  over  non-maximal  sets  as  well  as  maximal  sets.  The  algorithm 
description  requires  only  that  maximal  sets  be  split  between  different  traversals 
of  the  algorithm.  However,  we  avoid  the  check  for  maximality  and  split  also 
non-maximal  overapproximating  sets  according  to  locations  appearing  in  the 
underapproximation.  As  well  as  bypassing  the  check  for  maximality,  this  extra 
splitting  has  the  advantage  of  accelerating  convergence  of  the  underapproxi¬ 
mation  by  allowing  the  next  underapproximation  to  include  more  states.  For 
example,  suppose  that  A  has  been  split  into  Ai  and  A2  where  Ai  intersects  the 
underapproximation  and  A2  does  not.  By  separating  out  states  in  A2,  we  make 
it  easier  for  reachable  states  there  to  appear  in  the  next  underapproximation. 
For  instance,  if  A2  contains  successors  of  states  in  the  current  underapprox¬ 
imation,  by  the  second  condition  of  the  ^  operator,  they  will  occur  in  the 
next  underapproximation  (unless  their  predecessors  no  longer  occur  in  the  next 
overapproximation ) . 


8.2  Results 


The  approximation  algorithm  enables  us  to  verify  larger  systems  than  our  previous 
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Ex. 

TA  locns 

Nr. 

Clocks 

Mem  (MB) 

Time  (s) 

Fischer  Mutual  exclusion 

MX-4 

1,704 

4 

4 

23 

MX-4-e 

1,704 

4 

4 

9 

MX-7 

120,863 

7 

5 

126 

MX-7-e 

120,863 

7 

5 

56 

MX-9 

3,259,136 

9 

9 

941 

MX-9-e 

3,259,136 

9 

9 

585 

Fast  Mutual  exclusion  FMX-3 

17,377 

3 

8 

144 

AUDIO 

83,660 

2 

7 

489 

AUDIO  with  timing 

202,802 

3 

14 

1077 

Ethernet 

ETH-A 

6 

6 

159 

ETH-A-e 

6 

11 

727 

ETH-B 

27,045 

6 

9 

279 

ETH-B-e 

27,045 

6 

7 

ETH-C 

6,405 

7 

6 

197 

ETH-C-e 

6,405 

7 

5 

89 

CSMA 

189 

4 

3 

3 

Tick-tock  protocol 

TT:iso-l 

384 

7 

6 

148 

TT:iso-2 

216 

6 

4 

19 

TTrtransmission  delay 

432 

7 

7 

356 

TTrspacing 

216 

7 

4 

22 

MX-i  Fischer  mutual  exclusion,  i  processes 
FMX-i  Fast  mutueil  exclusion,  i  processes 
AUDIO  Audio  control  protocol 
ETH-X  Ethernet  examples.  Specification  X 
CSMA  Carrier  Sense  /  Multiple  Access  Protocol 
-e  example  contains  error  run 

Figure  8.1:  Results 


implementations  of  verifiers,  as  well  as  any  other  automata-based  automatic  verifiers. 
It  is  also  relatively  fast.  All  code  is  in  C,  and  the  OBDD  routines  are  from  David 
Long’s  package.  The  results  in  figure  8.1  were  obtained  on  a  DEC  5000  with  56 
MB  of  main  memory.  The  number  of  “reachable”  TSA  locations  refers  to  those 
locations  forwards  reachable  in  an  untimed  analysis  of  the  state  graph,  i.e.  assuming 
the  enabling  of  events  is  independent  of  the  timing  conditions.  We  note  that  we  are 
able  to  verify  systems  with  over  a  million  control  locations. 
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Figure  8.2:  Single  locations  vs  sets  of  locations 


Approximating  over  control  information 

For  the  larger  examples  we  considered,  the  implementation  using  a  symbolic  repre¬ 
sentation  of  sets  of  control  locations  far  outperforms  the  one  with  all  control  locations 
separated,  see  figure  8.2.  It  should  be  noted  however  that  performance  may  depend 
critically  on  the  initial  separating  structure  used. 


8.3  Additional  heuristics 

8.3.1  Choice  of  initial  partition 

The  system  designer  is  capable  of  using  her  own  knowledge  of  the  system  to  aid  the 
verification  procedure,  by  judicious  choice  of  an  initial  separating  structure.  Many 
other  automatic  verification  techniques  do  not  allow  the  user  to  supply  useful  infor¬ 
mation  directly  to  the  verification  package.  Typically  the  verification  engineer  must 
have  a  thorough  understanding  of  both  the  system  being  verified,  and  the  algorithm 
being  used  to  verify  it,  and  then  devise  a  clever  encoding  of  the  problem  which  takes 
both  into  account.  While  optimal  use  of  the  approximation  algorithm  also  requires 
knowledge  of  both  the  system  being  verified  and  the  approximation  technique,  the 
features  of  the  algorithm  can  be  exploited  without  having  to  manipulate  the  system 
description  itself.  The  user  need  only  tell  the  algorithm  where  to  approximate  the 
truly  reachable  states  more  carefully,  and  where  it  can  be  more  lax.  In  general,  states 
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can  be  kept  in  the  same  separating  class  whenever  their  outgoing  behaviors  are  in 
some  sense  similar.  The  following  heuristics  can  be  used  to  guide  the  choice  of  an 
initial  separating  structure: 

•  parts  of  the  state-space  where  timing  information  (either  for  outgoing  con¬ 
straints  or  incoming  timer  values)  is  similar  can  be  clustered  together. 

•  the  state-space  should  be  finely  partitioned  in  areas  where  timing  information 
is  critical  for  correct  operation. 

•  states  which  correspond  to  different  branches  of  a  critical  case  analysis  should 
be  separated. 

•  processes  or  variables  which  play  a  key  role  in  the  correctness  of  the  specification 
should  be  partitioned  more  finely. 

•  the  size  of  the  initial  separating  structure  should  depend  on  the  memory  avail¬ 
able.  If  a  machine  has  only  enough  memory  to  store  n  approximating  sets 
and  their  associated  overhead,  then  a  good  heuristic  is  to  keep  the  size  of  the 
initial  separating  structure  less  than  n/30.  This  policy  allows  room  for  the 
four  converging  approximations,  while  still  permitting  reasonable  growth  due 
to  splitting. 

As  an  example,  if  the  Fischer  mutual  exclusion  protocol  for  six  processes  is  ver¬ 
ified  by  separating  out  locations  based  only  on  their  specification  component,  the 
computation  takes  17  traversals  to  complete  in  343s.  If  a  finer  partition  is  chosen, 
namely  splitting  also  according  to  the  value  of  the  critical  controlling  variable  X,  only 
5  traversals  are  made  and  verification  completes  in  57s.  If  the  additional  splitting  is 
done  for  process  1  rather  than  for  the  control  variable  X  we  find  that  13  traversals 
are  required  in  298s. 

8.3.2  Enhanced  under  approximations 

Experience  shows  that  the  main  drawback  to  the  performance  of  the  approximation 
algorithm  is  due  to  slow  convergence  of  the  underapproximations.  Slowly  increasing 
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underapproximations  not  only  hamper  the  detection  of  violations,  but  also  contribute 
to  slow  downward  convergence  of  the  overapproximations,  since  the  refinement  of  the 
separating  structures  relies  on  information  from  the  underapproximations. 

In  the  case  of  real-time  systems,  the  underapproximating  operator  over  time  zones 
is  extremely  weak.  It  essentially  throws  away  information  about  its  second  operand 
unless  it  contains  the  first.  In  other  words,  sets  of  newly  reachable  timer  vectors  are 
discarded  unless  their  time  zone  includes  all  timer  vectors  already  reached  within  the 
class. 

We  now  discuss  further  two  techniques  which  help  the  propagation  of  the  under¬ 
approximations. 

Multiple  underapproximation  sets 

The  first  strategy  is  to  allow  the  underapproximating  operator  to  return  expansions 
which  contain  more  than  one  approximating  set.  Allowing  more  approximating  sets 
in  the  underapproximation  results  in  more  accurate  underapproximations,  but  at  the 
expense  of  additional  memory.  At  one  extreme  we  may  chose  to  allow  an  underap¬ 
proximation  to  consist  of  arbitrarily  many  approximating  sets,  and  let  the  underap¬ 
proximating  operator  return  the  union  of  its  operands.  In  this  case,  computing  an 
underapproximation  will  be  essentially  the  same  as  performing  exact  set  reachability. 
A  happy  compromise  between  a  weak  underapproximation  and  an  exact  computation 
is  to  allow  the  user  to  specify  a  fixed  maximal  number  of  approximating  sets  as  the 
result  of  an  application  of  the  underapproximation  operator. 

Figure  8.3  shows  how  increasing  the  number  of  approximating  sets  can  decrease 
the  number  of  iterations  necessary.  The  possible  cost  is  more  memory  for  storing  an 
increased  number  of  approximating  sets. 

Stuttering  the  next-state  relation 

Underapproximations  can  be  propagated  throughout  the  state-space  without  the  need 
for  storing  more  approximating  sets.  First  observe  how  a  truly  reachable  state  may  be 
left  out  of  the  under  approximation.  Suppose  s  €  5  is  in  the  underapproximation  but 
one  of  its  successors  s'  is  not.  The  non-emptiness  condition  for  underapproximating 
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Figure  8.3:  Multiple  underapproximating  sets 


operators  implies  the  only  way  this  can  occur  is  if  every  separating  class  containing 
s'  already  contains  other  states  in  the  underapproximation.  If  the  only  separating 
class  containing  s'  also  contains  s,  it  may  well  be  that  no  other  successors  of  s  appear 
in  the  underapproximation  at  all.  Propagation  of  the  underapproximation  may  be 
“stalled”  at  s. 


C2 


t - -  t' - 


This  nonextension  of  states  in  the  underapproximation  can  be  partially  solved  by 
computing  successors  using  an  iterated  (or  stuttered)  next-state  relation,  i.e.  N  can 
be  replaced  in  the  underapproximating  algorithms  with  some  iV*,  where  N’°  is  the 
result  of  composing  N  with  itself  k  —  1  times. 

8.3.3  Untimed  analysis 

Sometimes  computing  even  the  first  approximation  of  the  reachable  timed-states  is 
expensive.  A  preliminary  untimed  analysis  may  be  able  to  prune  large  parts  of  the 
state-space  from  consideration.  For  example,  it  may  be  that  many  control  locations 
are  forward  reachable  from  the  initial  states,  but  not  backwards  reachable,  and  in 
this  case  the  first  forwards  overapproximation  will  explore  numerous  control  locations 
unnecessarily.  A  simple  untimed  backwards  reachability  analysis  would  rule  out  many 
of  these  control  locations. 
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We  propose  the  following  procedure  to  cope  with  such  situations:  first  analyze 
the  state-space  by  ignoring  all  timing  information,  and  then  begin  approximating  the 
reachable  timed-states  over  the  reduced  state-space.  The  untimed  analysis  should  re¬ 
turn  a  superset  of  the  control  locations  which  may  possibly  lie  on  violating  paths.  This 
phase  considers  the  timed  automaton  as  a  simple  (untimed)  finite-state  automaton, 
with  an  edge  between  two  control  locations  whenever  there  is  a  transition  between 
them.  The  analysis  may  be  either  exact  or  itself  approximate,  but  it  must  yield  an 
overapproximation  of  the  control  locations  on  violating  paths.  Indeed,  this  first  un¬ 
timed  analysis  may  be  considered  to  be  a  special  case  of  overapproximating  with  an 
approximate  next-state  relation  which  disregards  timing  constraints  and  clock  resets. 

In  our  implementation,  the  untimed  analysis  consists  of  an  exact  forwards  untimed 
traversal  of  the  states,  followed  by  an  untimed  backwards  reachability  analysis  from 
the  violating  locations  which  are  encountered. 

The  disadvantage  of  performing  this  untimed  analysis  is  that  it  may  itself  be 
expensive  to  perform,  and  indeed  may  not  even  complete. 

We  note  in  passing  that  this  untimed  analysis  may  be  sufficient  to  prove  the  system 
is  correct,  in  which  case  either  the  system  does  not  depend  on  timing  information  for 
correctness,  or  there  is  a  description  error  in  the  input. 

Observe  that  the  algorithms  of  Alur  et  al  [AIKY93]  and  Balarin  et  al  [BSV93] 
also  begin  with  an  untimed  analysis,  and  iteratively  restrict  the  untimed  traces  by 
adding  untimed  components  to  rule  out  paths  which  are  not  possible  because  of  timing 
constraints.  In  contrast,  we  use  the  untimed  analysis  merely  as  a  special  preliminary 
procedure  to  narrow  the  search  space  for  our  state-based  approximations. 


8.4  Performance  comparison  to  other  tools 

Meaningful  comparison  with  other  implementations  is  difficult.  Firstly  there  are  not 
many  verifiers  which  handle  dense-time  semantics.  Secondly,  those  which  do  are  often 
still  undergoing  development.  Thirdly,  and  perhaps  most  prohibitive,  is  the  fact  each 
tool  uses  at  least  slightly  different  formalisms  for  describing  real-time  processes,  and 
for  specifying  timing  properties. 
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We  compare  our  approximation  algorithm  against  our  previous  implementations 
based  on  set-reachability  and  minimization,  and  against  the  symbolic  model-checker 
Kronos,  recently  been  made  publicly  available  by  Sifakis  et  al  [NSY92a,  HNSY92, 
DOY94]  at  IMAG  in  France. 


8.4.1  Reachability  and  minimization 

The  approximation  algorithm  represents  a  significant  practical  improvement  over  a 
couple  of  previously  published  algorithms  we  have  experimented  with.  In  this  sub¬ 
section,  we  describe  our  previous  implementations  and  compare  their  performance. 
Many  of  the  ideas  behind  the  approximation  scheme  advocated  here  arose  from  ex¬ 
perience  with  these  other  verifiers,  and  we  discuss  some  of  these  issues  in  more  detail 
in  section  8.5. 


Set-reachability 

A  basic  set-reachability  algorithm  is  given  in  figure  4.4  of  section  4.4.  It  can  be 
used  in  a  straightforward  way  to  solve  the  timed  safety  verification  problem,  since 
it  computes  exactly  which  regions  have  states  which  are  reachable  from  the  initial 
states.  It  can  also  be  easily  modified  to  prove  stronger  properties  involving  fairness. 

One  problem  with  explicitly  enumerating  all  nodes  in  the  regions  graph,  is  that 
many  different  regions  need  to  be  examined,  and  the  size  of  the  graph  generated 
depends  crucially  on  the  size  of  the  timing  constraints  used.  Set-reachability  does 
much  better  locally,  since  all  successors  of  a  single  transition  can  be  added  in  a  single 
step.  For  example,  sets  of  time  successors  can  be  clustered  together  in  a  single  DBM. 
In  systems  with  simple  looping  structures  this  algorithm  may  be  quite  effective,  but 
in  more  complex  examples,  a  single  control  location  can  be  entered  along  different 
transitions,  each  with  different  timing  constraints.  When  the  algorithm  follows  these 
transitions,  many  new  sets  may  be  generated.  Of  all  the  algorithms  we  provide 
comparative  data  for,  this  one  is  the  least  efficient  in  practice,  as  shown  by  the  data 
in  figure  8.4  appearing  later  in  this  section. 
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Minimization 

An  approach  to  circumventing  the  size  of  the  regions  graph  is  to  build  instead  a  mini¬ 
mal  representation  of  the  reachable  part  of  the  graph.  The  algorithms  of  Bouajjani  et 
al  [BFH‘'‘92]  and  Lee  and  Yannakakis  [LY92]  simultaneously  minimize  and  generate  a 
superset  of  the  reachable  subgraph  of  a  transition  system.  We  implemented  a  variation 
of  the  algorithm  of  Bouajjani  et  al  applied  to  timed  automata  [ACH'''92,  ACD‘*'92]. 
We  refer  the  reader  to  their  publications  and  only  sketch  the  ideas  behind  their  al¬ 
gorithm.  The  algorithm  starts  with  a  transition  system  and  an  initial  partition  of 
its  states.  A  class  X  is  stable  if  whenever  a  state  s  G  X  has  a  successor  in  a  class 
X',  all  states  in  s’s  class  have  successors  in  X'.  The  algorithm  continually  refines  the 
partition  by  splitting  reachable  classes  which  are  not  stable  with  respect  to  the  other 
classes. 

Lee  and  Yannakakis’s  minimization  algorithm  [LY92]  is  similar  to  the  one  above. 
They  specify  an  explicit  strategy  for  choosing  which  class  of  the  partition  to  split 
next.  Their  selection  strategy  guarantees  an  upper  bound  on  the  running  time  which 
is  quadratic  in  the  size  of  the  minimal  graph,  provided  there  is  a  finite  minimal 
graph  and  a  means  of  detecting  termination.  The  idea  is  to  search  forward  to  find 
classes  which  need  to  be  split,  and  to  give  every  class  a  fair  chance  of  being  split. 
Classes  are  marked  with  reachable  points,  and  consequent  splitting  is  done  “around” 
this  reachable  point,  thereby  ensuring  that  all  splitting  is  done  on  reachable  classes. 
Yannakakis  and  Lee  [YL93]  also  discuss  how  the  algorithm  can  be  applied  efficiently 
to  minimize  a  real-time  system. 

The  most  straightforward  use  of  the  minimization  algorithm  for  safety  verification 
would  be  to  generate  the  minimal  reachable  graph  starting  from  an  initial  partition 
which  separates  the  violating  states  from  the  rest.  We  could  then  check  whether  any 
block  containing  violating  states  were  reachable.  If  any  were,  then  the  system  would 
contain  a  violation. 

The  algorithm  we  implemented  improves  on  this  strategy  by  avoiding  unnecessary 
refinement  of  the  graph.  The  modifications  are  based  on  the  simple  observation  that  it 
is  not  necessary  to  generate  the  exact  minimal  reachable  graph  in  order  to  determine 
whether  the  violating  states  are  reachable.  For  instance,  if  a  class  A  is  unstable  with 
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respect  to  a  class  B,  and  it  is  known  that  no  violation  states  are  accessible  from 
states  in  B,  then  it  is  unnecessary  to  split  A  with  respect  to  B.  Of  course  we  do  not 
know  in  advance  exactly  which  states  lie  on  violating  paths,  but  we  can  ascertain  for 
sure  that  some  do  not  using  the  following  reasoning.  Given  a  set-graph  G  that  has 
an  edge  between  two  nodes  A  and  B  whenever  there  are  states  a  ^  A  and  b  e  B 
such  that  N{a,b),  then  the  states  in  reach{G)  contains  reach{S).  Thus  we  may  be 
able  to  determine  that  some  blocks  contain  only  states  that  definitely  have  no  paths 
to  violating  states;  although  they  may  be  reachable,  we  need  not  stabilize  them,  or 
stabilize  other  classes  with  respect  to  edges  into  them.  Thus  we  advocate  specializing 
the  minimization  algorithm  by  periodically  removing  from  consideration  all  classes 
from  which  violation  states  are  not  accessible.  We  also  developed  refined  methods 
for  choosing  which  class  to  split  next,  an  order  for  the  transitions  to  be  stabilized  in, 
lookahead  strategies  for  increasing  the  number  of  classes  detected  as  reachable,  and 
simple  techniques  to  ensure  refining  of  the  graph  occurred  evenly  across  the  state- 
space  rather  than  potentially  wasting  effort  in  a  localized  area  which  does  may  not 
lie  on  any  violating  paths. 

Comparison 

Comparative  results  are  displayed  in  figure  8.4.  Not  surprisingly,  approximation 
outperforms  set-reachability.  It  is  also  far  more  efficient,  in  time  and  space,  than 
our  implementation  of  the  minimization-based  verifier,  despite  the  large  number  of 
heuristics  added  to  the  latter.  The  results  suggest  that  an  exact  reachable  state 
analysis  of  a  real-time  system  is  both  expensive  and  unnecessary  for  many  timing- 
based  verification  problems. 

8.4.2  Symbolic  model-checker  Kronos 

The  model-checker  Kronos  [NSY92a]  computes  whether  a  given  timed  safety 
automaton  satisfies  a  specification  given  as  a  formula  in  the  branching-time  temporal 
logic  TCTL  [ACD90]  where  modal  operators  are  time-bounded.  It  implements  the 
symbolic  model-checking  algorithm  found  in  [HNSY92]. 
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Figure  8.4:  Comparative  results 


Our  process  semantics  exactly  match  that  of  Kronos.  However  their  specifica¬ 
tions  are  more  general  than  ours.  They  verify  formulae  written  in  TCTL,  a  branching¬ 
time  temporal  logic  with  time-bounded  modal  operators.  Using  this  logic  they  are 
able  to  express  every  timed  safety  verification  problem,  since  reachability  is  express¬ 
ible  in  the  logic.  Furthermore,  there  are  properties  given  as  logical  formulae  which 
are  not  timed-safety  properties,  such  as  non-Zenoness,  and  the  singularity  constraint 
that  an  event  is  never  enabled  for  an  open  interval  of  time.  In  any  case,  a  very  pre- 
hminary  analysis  shows  our  approximation  algorithm  completes  in  less  time,  and  uses 
less  memory.  The  results  for  the  Fischer  mutual  exclusion  protocol  and  the  tick-tock 
protocol  examples  appear  in  figure  8.5.  The  parameter  set  E  has  values  tt  =  100, 
Tmin  =  75,  Tmax  =  120  uud  o  =  50,  F  has  TT  =  100,  Tmm  =  50,  Trr,ax  =  75  and  a  =  150, 
and  G  uses  tt  =  100,  =  75,  Tmax  =  220  and  a  =  50.  Results  were  obtained 

on  a  Sun  Sparcstation  2  with  128  MB  of  memory,  of  which  all  the  examples  given 
were  verified  by  our  algorithm  using  less  than  9  MB.  Notice  that  we  cannot  verify  the 


164 


CHAPTER  8.  IMPLEMENTATION  AND  RESULTS 


Ex. 

KRONOS 

APPROX* 

Factor 

Faster 

#  Itns 

Time  (s) 

#  Itns  Time  (s) 

MX-6 

12 

1174 

4 

74 

16 

MX-6-e 

10 

1323 

2 

30 

44 

MX-7 

-m- 

-m- 

4 

164 

- 

MX-7-e 

“in- 

-m- 

2 

78 

- 

MX-8 

-m- 

-m- 

4 

375 

- 

MX-8-e 

-m- 

-m- 

2 

220 

- 

MX-9 

-m- 

-m- 

4 

891 

MX-9-e 

-m- 

-m- 

2 

596 

TICK-TOCK 

E:iso-l 

15 

1016 

8 

112 

9.0 

E:iso-2 

9 

13 

4 

3 

4.0 

E:iso-3 

1 

1 

N/A 

N/A 

— 

Eitransmd 

17 

1227 

14 

69 

17.7 

E:sp 

7 

26 

4 

4 

6.0 

E:imm 

1 

1 

N/A 

N/A 

— 

F:isO“l  -e 

33 

87 

4 

39 

2.2 

F:iso-2 

7 

5 

4 

3 

1.7 

F:iso-3 

1 

1 

N/A 

N/A 

— 

Frtransmd  -e 

23 

191 

4 

72 

2.7 

F:sp 

8 

33 

4 

5 

6.9 

Fdmm 

1 

1 

N/A 

N/A 

— 

G:iso-l  -e 

22 

121 

6 

93 

1.3 

G:iso-2 

9 

7 

4 

3 

2.0 

G:iso-3 

1 

1 

N/A 

N/A 

— 

Grtransmd 

15 

264 

10 

166 

1.6 

G:sp 

7 

20 

4 

5 

4.2 

G:imm 

1 

1 

N/A 

N/A 

— 

MX-i  Fischer  mutual  exclusion,  i  processes 
E/F/G  indicates  different  timing  parameters 
-e  example  contains  error  run 
-m-  ran  out  of  memory 
(*)  excludes  1  min  compilation  time 


Figure  8.5:  Comparative  performance 


singularity  properties  Iso- 3  and  Imm,  since  they  are  not  expressible  in  our  framework. 

However,  for  all  the  properties  which  can  be  expressed  by  both  methodologies,  the 
approximation  algorithm  is  more  memory  efficient  and  is  able  to  complete  verification 
for  every  example  for  which  Kronos  completes.  We  are  also  able  to  verify  systems 
with  much  larger  control  spaces.  For  example  the  Fischer  protocol  with  9  processes 
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has  9  clocks  and  3,259,136  control  locations  reachable  in  an  untimed  analysis,  and 
verification  completes  in  under  9  MB.  Our  implementation  is  up  to  44  times  faster 
over  the  6  process  example  Kronos  can  verify.  The  approximation  algorithm  is  also 
consistently  faster,  up  to  a  factor  of  18,  over  examples  published  by  the  developers 
of  Kronos,  even  when  the  examples  use  tight  timing  constraints.  The  relative  ben¬ 
efits  of  the  two  verifiers  needs  to  be  explored  in  more  depth.  Indeed,  it  appears  the 
advantages  of  both  verifiers  could  be  exploited  by  using  Kronos  to  verify  the  TCTL 
properties  not  expressible  as  safety  verification  problems,  and  using  our  approxima¬ 
tion  scheme  to  verify  more  limited  properties  over  large  examples. 


8.5  Lessons  learnt 

The  approximation  strategies  discussed  in  this  thesis,  and  some  of  the  implementa- 
tional  choices,  are  the  result  of  lessons  we  learnt  in  building  verifiers  and  examining 
how  they  performed  over  the  case  studies  described  in  the  previous  chapters.  This 
section  collects  together  some  of  our  experiences,  which  are  by  no  means  unique,  in 
the  hope  that  it  can  guide  future  development  of  verification  tools. 

8.5.1  Complexity  issues 

The  worst-case  complexity  is  not  always  the  most  relevant  feature  of  an  algorithm; 
the  adversarial  problem  inputs  may  occur  rarely  in  practice.  This  fact  suggests  it  may 
be  useful  to  give  a  stronger  characterization  of  problem  inputs,  to  restrict  analysis  to 
certain  useful  subclasses  of  the  problem  domain,  to  perform  an  average-case  analysis, 
or  to  provide  an  analysis  which  compares  two  algorithms  over  each  individual  input 
instance.  However,  it  is  usually  difficult  to  define  or  even  describe  a  “typical”  problem, 
or  give  additional  useful  measures  of  the  problem’s  complexity. 

We  note  that  in  our  experience  some  algorithms  with  poorer  complexity  outper¬ 
form  theoretically  optimal  ones.  The  regions  construction  of  Alur  and  Dill  [AD90] 
has  worst-case  complexity  exponentially  better  than  the  set-reachability  algorithm  of 
Dill  [Dil89],  yet  it  is  easy  to  see  that  in  many  instances  of  the  train-gate  example  the 
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size  of  the  regions  graph  is  far  greater  than  the  set-reachability  graph.  In  addition, 
our  implementation  of  the  minimization  algorithm  of  Lee  and  Yannakakis  [LY92]  does 
not  perform  better  than  that  of  Bouajjani  et  al  [BFH90],  despite  its  theoretical  ad¬ 
vantages  of  being  polynomial  in  the  size  of  the  minimized  graph.  However,  one  of 
their  key  ideas  in  providing  an  upper  bound  on  run-time,  namely  using  points  to  mark 
classes,  was  very  helpful  in  forcing  the  splitting  of  classes  to  occur  throughout  the 
state-space,  rather  than  being  localized.  This  marking  of  classes,  together  with  giving 
each  class  a  fair  chance  of  being  split,  is  used  in  their  upper  bound  results.  However, 
when  we  experimented  with  different  orderings  for  splitting  classes,  we  found  Lee 
and  Yannakakis’s  queuing  strategy  to  have  no  practical  effect  on  convergence,  de¬ 
spite  being  required  for  their  upper  bound  result.  In  fact,  we  implemented  heuristics 
based  on  splitting  classes  whose  successor  classes  were  not  marked,  and  these  made 
a  significant  improvement. 


8.5.2  Large  control  spaces 

Realistic  systems  have  not  only  complex  timing  constraints,  but  also  large  control 
spaces.  While  there  may  be  ways  to  extract  the  timing  properties  of  some  systems, 
and  analyze  them  separately,  we  believe  that  in  general  it  is  essential  to  be  able  to 
model  both  timing  information  and  large  control  spaces  in  a  single  system  descrip¬ 
tion.  It  was  this  fact  that  lead  us  to  consider  algorithms  which  could  share  timing 
information  over  different  control  locations.  Otherwise  it  is  likely  to  be  too  expensive 
to  associate  timing  constraints  with  every  reachable  location.  A  hash  table  can  do 
this  effectively  when  the  exact  same  timing  constraints  apply  at  many  different  loca¬ 
tions.  However  this  is  not  always  the  case.  Approximation  can  be  used  to  associate 
numerous  locations,  having  different  exact  timing  constraints,  with  the  same  approx¬ 
imate  timing  constraints,  thereby  allovnng  even  further  reductions  in  storage.  This 
motivates  the  use  of  sets  of  control  locations  in  approximating  sets.  The  results  of 
this  chapter  demonstrate  the  success  of  this  approach. 
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8.5.3  User-supplied  information 

A  good  heuristic  algorithm  should  allow  the  user  to  provide  some  guiding  information 
in  a  natural  and  simple  way.  There  is  a  good  chance  that  the  system  designer  or 
verifier  has  some  knowledge  about  why  the  system  is  correct  (or  why  she  suspects 
it  is).  It  is  potentially  very  useful  for  this  information  to  be  passed  directly  to  the 
verifier.  For  example,  enumeration-based  techniques  usually  work  with  some  fixed 
steps  designed  to  exhaustively  cover  every  combination  of  possibilities,  without  regard 
to  how  its  search  of  the  state-space  could  be  optimized.  User-intervention  could  be 
used  to  focus  attention  in  particular  areas,  or  supply  invariant  information  about  the 
state-space. 

Our  approximation  algorithm  has  a  straightforward  means  for  the  user  to  decide 
how  roughly  or  accurately  to  begin  approximating.  While  this  information  is  very 
limited  in  form,  we  find  it  very  effective  in  increasing  the  performance  of  our  verifier. 
For  more  details,  see  subsection  8.3.1. 

The  user  may  also  fix  the  maximum  number  of  underapproximating  sets  within 
each  class.  This  parameter  can  be  matched  with  the  size  of  the  initial  separating 
classes.  In  other  words,  if  there  are  long  paths  within  the  separating  classes,  the  un¬ 
derapproximations  may  increase  very  slowly,  requiring  numerous  traversals  before  all 
reachable  states  within  the  class  are  detected.  Thus  having  fewer  separating  classes 
requires  more  underapproximating  sets  per  class  for  similar  progress  in  the  propa¬ 
gation  of  the  underapproximations.  Note  that  this  strategy  maintains  a  relatively 
constant  total  number  of  underapproximating  sets. 

8.5.4  Symbolic  representations 

While  we  have  been  suggesting  that  symbolic  representations  can  lead  to  reductions 
in  computation  time  and  memory  usage,  it  must  be  remembered  that  only  a  good 
symbolic  representation  of  a  problem  will  help.  The  representation  must  be  small  for 
most  sets  encountered,  and  admit  efficient  operations.  Furthermore,  the  algorithm 
must  consider  only  a  small  number  of  symbolic  sets  — -  otherwise  it  may  use  more 
memory  to  store  sets  of  states  than  if  it  explicitly  enumerated  the  individual  states. 
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Time  zones 

Time  zones  and  DBMs  do  work  well  for  representing  the  reachable  states  of  a  system. 
As  shown  above,  there  are  fast  algorithms  for  finding  successor  states  of  any  time  zone. 
Their  canonical  form  has  an  O(n^)  representation  and  is  O(n^)  to  compute.  They 
are  also  closed  under  intersection,  as  required  by  the  approximation  algorithm.  Their 
main  disadvantage  is  that  they  are  not  closed  under  union,  and  in  exact  reachability 
algorithms  this  can  result  in  a  long  list  of  time  zones  to  represent  the  reachable  time 
vectors  for  a  given  control  location.  Using  approximation  has  the  advantage  of  storing 
only  a  fixed  number  of  time  zones  for  a  location,  avoiding  the  blow-up  due  to  lack  of 
closure  under  union. 

The  overapproximation  operator  is  an  effective  means  of  capturing  the  information 
in  its  operands.  It  returns  the  smallest  possible  zone  which  contains  its  operands, 
and  is  in  effect  the  pairwise  disjunction  of  all  constraints  needed  in  defining  them. 
Quite  often  this  zone  encapsulates  sufficient  reachability  information  for  an  accurate 
approximation.  For  instance,  it  is  common  for  the  value  of  a  particular  clock  to  be 
irrelevant  in  determining  the  outgoing  paths  from  a  state  s.  Approximation  over  the 
values  of  such  a  clock  at  s  does  not  directly  lead  to  any  false  negatives.  In  other 
cases,  outgoing  traces  from  s  depend  only  on  whether  a  clock  x  lies  above  (or  below) 
a  certain  threshold,  I  say.  Storing  information  about  the  exact  reachable  values  is  no 
more  useful  that  knowing  whether  any  reachable  values  exceed  the  threshold  I,  and 
this  information  is  retained  by  the  overapproximation  operator. 


OBDDs  for  control  information 

We  find  that  using  OBDDs  for  the  control  component  of  the  state-space  is  also  ef¬ 
fective.  Firstly,  there  are  potentially  many  control  locations  with  the  same  timing 
constraints  on  reachable  states.  In  systems  Avith  large  control  spaces,  there  may  be 
many  events  which  are  essentially  asynchronous,  and  only  a  small  part  of  the  system 
which  is  really  timing  dependent.  Many  events  may  have  no  timing  constraints  as¬ 
sociated  with  them.  The  constraints  associated  with  state  s  are  the  same  as  for  its 
successor  state  s'  if  the  only  event  into  s'  originates  at  s  and  is  independent  of  the 
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clock  values.  Thus  the  time  zones  for  these  adjacent  states  are  identical.  Further¬ 
more  sets  of  adjacent  states  often  have  small  OBDDs  since  they  may  be  obtained 
via  untimed  events  occurring  individually  in  different  components.  This  observation 
also  allows  effective  initial  partitioning  which  clusters  together  locations  which  are 
separated  only  by  untimed  events. 

The  benefit  of  using  OBDDs  for  control  information  is  even  greater  when  approx¬ 
imations  are  used.  The  arguments  in  the  previous  subsection  for  why  approximate 
timing  information  is  often  good  enough  still  holds  over  sets  of  locations.  Thus  we  have 
the  potential  to  pool  together  states  across  different  locations  with  slightly  varying 
timing  constraints  into  single  approximating  sets,  without  much  loss  of  information. 
We  find  this  space  saving  to  be  necessary  for  analyzing  systems  with  control  spaces 
too  large  for  storing  individual  DBMs  per  location. 

Finally  we  note  that  the  form  of  initial  partitioning  we  use,  dividing  the  control 
space  via  a  crossproduct  of  partitions  per  component,  leads  to  small  OBDDs  for  each 
initial  separating  class,  and  therefore  helps  to  keep  the  size  of  OBDDs  in  subsequent 
separating  classes  small. 

OBDDs  for  timing  information 

It  is  possible  to  use  OBDDs  for  encoding  timing  information,  i.e.  they  can  encode  the 
detailed  regions  of  the  Alur-Dill  equivalence  relation,  and  then  arbitrary  sets  of  timed 
states  can  be  represented  within  a  single  framework.  However,  this  approach  does  not 
look  promising.  The  problem  is  that  there  are  too  many  dependencies  across  clocks 
in  different  components,  leading  to  large  OBDDs.  For  example,  computing  the  time 
successors  of  a  set  of  regions  involves  checking  that  the  values  of  all  clocks  increase 
at  the  same  rate.  In  fact,  our  own  experiments  with  OBDD-encoded  regions  graphs 
resulted  in  worse  performance  than  explicit  analysis. 

8.5.5  Simplify  the  problem 

Hard  problems  should  be  simplified  wherever  possible  until  the  work  of  the  verifier 
is  computationally  feasible.  In  other  words,  it  is  extremely  helpful  if  some  human 
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reasoning  can  be  used  to  reduce  a  verification  problem  into  a  simpler  form  before 
handing  it  to  the  automatic  verifier. 

Unnecessary  computation  may  be  avoided  via  restrictions  on  the  problem  domain. 
In  our  case,  we  first  choose  to  concentrate  only  on  reachability  properties.  This 
simplifies  our  algorithms  and  enables  us  to  focus  on  the  key  issue  of  representing 
state  information.  Furthermore,  if  we  cannot  tackle  the  simpler  problems,  there  is 
little  hope  for  the  harder  ones.  However,  we  do  of  course  sacrifice  expressiveness. 

Secondly,  we  rely  on  syntactic  conditions  to  guarantee  our  systems  are  non-Zeno. 
This  choice  saves  the  verifier  from  checking  this  property.  One  approach  we  took 
in  earlier  work  [ACD‘''92]  was  to  have  the  verifier  iteratively  create  graphs  whose 
paths  were  guaranteed  to  be  divergent.  The  algorithms  first  generate  graphs  which 
represented  all  timed  runs.  If  these  graphs  are  empty,  the  system  is  verified  correct. 
If  not,  they  are  successively  refined  until  the  only  remaining  paths  corresponded  to 
divergent  traces.  This  extra  computation  is  time-consuming  and  causes  the  graphs 
to  grow  rapidly. 

Finally,  we  note  that  minimization-based  techniques  use  the  wrong  criterion  for 
splitting  classes,  if  the  problem  to  be  solved  is  reachability.  The  splitting  is  too 
exacting  for  plain  reachability  analysis,  since  it  is  really  bisimulation-based.  This  is 
no  poor  reflection  on  the  minimization  algorithms  themselves,  but  rather  a  comment 
to  tailor  techniques  to  match  the  problem  at  hand. 

8.5.6  Indications  of  progress 

When  attempting  to  verify  large  systems,  a  verification  attempt  will  often  run  for 
a  long  time,  seemingly  indefinitely,  or  simply  fail  reporting  a  lack  of  memory.  In 
such  cases,  it  is  useful  to  have  an  idea  of  how  close  the  verifier  is  to  solving  the 
problem.  This  information  can  be  helpful  in  deciding  whether  a  particular  encoding 
of  a  system  is  eflFective  for  a  given  verification  algorithm.  It  can  also  be  a  useful 
measure  of  whether  one  algorithm  is  better  than  another,  and  is  thus  extremely 
useful  in  designing  heuristics. 

As  an  example  of  a  progress  indicator,  for  explicit  enumeration  methods,  the  ratio 
of  new  states  encountered  (or  the  size  of  the  search  stack)  may  give  some  indication 
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of  how  much  of  the  reachable  state-space  has  been  found.  In  symbolic  reachability, 
the  sizes  of  the  OBDDs  often  slowly  increase  to  a  peak  and  then  decline,  so  their  sizes 
can  help  predict  how  far  the  algorithm  is  from  terminating. 

For  our  approximation  scheme,  where  there  is  a  choice  of  parameters  for  the  ver¬ 
ifier’s  execution,  it  is  even  more  important  to  have  an  indication  of  how  close  the 
verifier  is  to  deciding  correctness.  Indicators  can  be  used  to  guide  how  to  choose 
effective  parameters.  Both  kinds  of  convergence  patterns  mentioned  above  have  been 
observed  in  the  execution  of  our  approximation  algorithm.  Firstly,  for  any  given  ap¬ 
proximation  the  size  of  the  search  stack  gives  some  indication  of  progress.  Secondly, 
and  perhaps  of  more  concern  is  how  close  the  successive  approximations  are  to  de¬ 
ciding  correctness.  Interestingly  enough,  for  the  examples  we  have  looked  at  which 
require  more  than  just  a  few  traversals,  there  is  a  clear  convergence  pattern  in  the 
size  of  the  approximations.  In  the  first  two  traversals  the  size  of  the  approximations 
usually  decreases,  since  large  parts  of  the  state-space  can  be  eliminated  as  being  not 
both  forwards  reachable  from  the  initial  states  and  backwards  reachable  from  violat¬ 
ing  states.  Then  the  sizes  usually  increase,  close  to  monotonically,  and  then  decrease. 
We  offer  an  intuitive  explanation  of  this  rise  and  fall  in  the  size  of  the  approxima¬ 
tions.  Changes  in  the  size  of  the  approximations  are  due  to  two  competing  factors. 
Separating  classes  which  are  too  large  need  to  be  split,  leading  to  larger  approxima¬ 
tions.  On  the  other  hand,  as  approximations  become  more  accurate,  some  previously 
included  states  can  be  eliminated,  including  some  entire  classes,  leading  to  smaller 
approximations.  Initially  the  approximations  are  too  crude  and  the  overly  large  sep¬ 
arating  classes  need  to  be  refined.  Each  successive  traversal  splits  more  classes,  and 
enables  the  underapproximations  to  increase  accordingly.  Rough  approximations  are 
not  good  at  eliminating  states  falsely  believed  to  be  reachable,  so  the  number  of 
classes  eliminated  is  initially  small.  Thus  the  approximations  start  increasing  in  size. 
When  the  separating  classes  give  more  accurate  approximations,  more  classes  will  be 
eliminated,  and  fewer  classes  need  to  be  spht  further.  This  phase  is  detected  as  the 
decline  in  the  size  of  the  approximations. 

Having  this  simple  guide  to  convergence  can  be  helpful  in  deciding  how  to  configure 
the  approximation  algorithm.  Recall  that  the  two  primary  parameters  to  the  verifier’s 
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execution  are  the  initial  partition,  and  the  number  of  underapproximating  sets  allowed 
per  separating  class.  Adjusting  either  or  both  of  these  parameters  and  watching  the 
convergence  pattern  of  the  approximations  gives  an  idea  of  how  effective  changes  are. 
Furthermore  the  relative  sizes  of  the  underapproximations  to  the  overapproximations 
indicates  how  effectively  the  underapproximations  are  propagating  through  the  state- 
space.  If  the  underapproximations  progress  too  slowly,  the  parameters  can  be  adjusted 
accordingly. 

8.5.7  Debugging  information 

It  is  crucial  for  a  verification  tool  to  provide  useful  debugging  information  for  systems 
which  are  found  to  be  incorrect.  The  first  few  attempts  to  describe  a  system  inevitably 
contain  syntax  errors,  or  modeling  errors,  and  a  stark  certification  of  “not  correct” 
from  the  verifier  does  nothing  to  help  the  designer  model  the  system  more  accurately. 

Our  current  implementation  provides  traces  whenever  errors  are  found.  However 
these  are  only  violating  pseudo-traces  (see  section  2.3.5).  The  algorithm  could  be 
adapted  to  produce  true  violating  traces,  but  this  feature  is  not  supported  in  the 
current  prototype.  Furthermore,  timing  information  is  output  via  DBMs  which  are 
not  easy  to  interpret  —  there  is  no  explicit  distinction  between  defining  constraints 
and  inferred  constraints.  The  DBMs  could  be  output  via  their  defining  constraints 
only,  and  a  path  of  timed-states  could  be  extracted  from  a  path  of  regions,  but  again 
the  necessary  routines  are  not  currently  implemented.  The  control  information  is 
output  in  a  more  user-firiendly  fashion,  not  as  OBDDs,  but  as  a  listing  of  the  control 
locations  they  represent,  in  disjunctive  normal  form  over  each  component’s  locations. 
While  admittedly  limited,  this  debugging  information  has  generally  proven  sufficient 
for  understanding  errors. 


8.6  Summary 

Despite  the  fact  that  the  verification  of  hard  real-time  systems  is  a  difficult  compu¬ 
tational  problem  (PSPACE-complete),  many  examples  are  solvable  in  practice  using 
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our  heuristic  approximation  methodology.  Our  implementation  has  been  able  to  au¬ 
tomatically  verify  systems  with  reasonably  large  control  spaces  and  complex  timing 
information  —  largely  due  to  our  ability  to  combine  timing  information  across  differ¬ 
ent  locations  of  the  state-space  into  single  approximating  sets. 

The  method  does  have  its  shortcomings.  Sometimes  even  approximate  analysis 
is  expensive  to  compute.  Furthermore  there  may  be  many  iterations  required  before 
convergence.  It  is  not  always  easy  to  choose  a  good  initial  partitioning:  too  fine  a 
partition  means  that  there  is  little  advantage  gained  from  approximating,  and  the 
size  of  the  approximation  can  be  large,  whereas  too  coarse  a  partition  may  cause  the 
approximations  to  be  too  crude,  and  require  numerous  traversals  of  the  state-space. 
If  all  timing  constraints  in  the  system  are  tight,  then  approximation  will  have  little 
benefit  since  correctness  will  not  be  detected  until  the  approximations  converge  to 
being  close  to  exact. 

The  algorithm  performs  well  in  detecting  bugs  in  systems.  More  often  than  not, 
an  attempted  verification  contains  a  description  error  which  leads  to  false  violations. 
It  is  therefore  desirable  for  a  verification  algorithm  to  report  errors  efficiently.  Our 
implementation  has  proven  effective  in  catching  such  errors  and  in  providing  useful 
debugging  information,  albeit  encoded  in  a  symbolic  form  (DBMs)  where  the  defining 
timing  constraints  are  not  clear.  This  could  be  improved  in  future  implementations. 

The  structure  of  the  approximation  algorithm  is  sufficiently  flexible  to  enable 
numerous  enhancements  and  heuristics  beyond  the  basic  algorithmic  description  of 
chapter  5.  Because  each  traversal  need  not  compute  an  exact  set  of  reachable  states, 
there  is  a  great  deal  of  freedom  in  how  an  approximation  algorithm  can  be  designed. 
While  some  heuristics  have  been  outlined  here,  the  wealth  of  possible  extensions  is 
enormous. 

Additional  care  and  optimization  could  be  applied  to  the  code  independently  of  the 
approximation  strategies.  For  example,  there  are  specialized  algorithms  that  could 
be  used  for  computing  successor  regions  faster,  minimizing  the  number  of  canonical- 
izations  necessary,  performing  faster  canonicalizations  when  only  a  few  constraints 
are  changed,  and  coalescing  adjacent  zones  into  single  zones  when  possible  [Rok93]. 
While  we  have  concentrated  on  the  approximation  aspects  of  the  algorithm  during 
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its  implementation,  there  is  no  reason  why  these  other  optimizations  could  not  also 
be  incorporated. 

Finally,  it  should  be  noted  that  no  computationally  efficient  algorithm  can  counter 
the  shortcomings  of  describing  real-time  systems  in  the  low-level  language  of  timed 
automata.  In  our  experience,  we  encountered  many  description  errors  resulting  from 
incorrect  modeling  in  the  timed  automaton  framework.  It  would  be  extremely  help¬ 
ful  to  have  high-level  description  and  specification  languages.  These  could  then  be 
compiled  into  timed  automata  for  the  purpose  of  verification.  Indeed,  Nicollin  et 
al  [NSY92a]  have  developed  a  compiler  from  the  process  algebra  ATP  into  timed 
safety  automata,  and  Daws  et  al  [DOY94]  give  translations  from  ET-LOTOS  to  timed 
safety  automata. 


Chapter  9 
Conclusions 


This  thesis  proposes  a  flexible  approximation  scheme  for  efficient  safety  verification. 
It  has  been  specialized  for  the  verification  of  real-time  systems.  An  implementation  of 
this  algorithm  shows  very  promising  results.  We  now  make  suggestions  for  the  future 
and  offer  concluding  remarks. 


9.1  Further  work 

9.1.1  Extensions 

The  approximation  framework  we  have  described  is  very  general.  There  is  plenty 
of  scope  for  defining  additional  heuristics  to  either  split  classes  further,  not  split 
them  at  all,  or  even  recombine  them.  Also,  in  the  current  set-up,  one  approximation 
is  computed  at  a  time,  either  forwards  or  backwards,  either  overapproximating  or 
underapproximating.  It  would  be  interesting  to  see  how  well  approximations  could  be 
generated  simultaneously.  Another  interesting  direction  to  investigate  is  user-directed 
refinement,  rather  than  having  the  algorithm  run  fully  automatically. 

9.1.2  Real-time  verifier 

We  have  found  that  our  verifier  works  very  well  on  the  reasonably  large  real-time 
examples  we  have  tested.  We  are  still  investigating  further  heuristics  to  increase 
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the  algorithm’s  effectiveness.  One  such  example  is  the  use  of  a  “widening”  opera¬ 
tor  [Hal93b]  to  accelerate  the  convergence  of  iterations  within  each  individual  traver¬ 
sal.  A  straightforward  widening  operator  has  been  implemented  for  simple  timed 
automata,  resulting  in  mixed  success  only.  Fairness  could  also  be  introduced  into  the 
semantics  of  processes. 

The  verifier  we  have  built  is  definitely  a  prototype.  It  was  developed  to  test  and 
explore  the  ideas  in  this  thesis.  No  work  has  been  put  into  designing  a  friendly  user- 
interface.  There  are  also  many  inefiiciencies  in  our  implementation,  such  as  memory 
handling  and  the  storage  of  DBMs,  which  could  be  removed  to  improve  efficiency. 

It  would  be  interesting  to  see  how  well  the  approximation  technique  of  Alur  et 
al  [AIKY93]  and  Balarin  et  al  [BSV93]  could  be  combined  with  our  state-based  ap¬ 
proximations.  In  principle,  it  is  not  difficult  to  iteratively  add  timing  constraints  into 
our  approximation  algorithm,  as  a  special  case  of  overapproximating  next-state  rela¬ 
tions.  An  off-line  examination  of  potentially  false  negatives  can  drive  the  convergence 
of  the  approximating  relations. 

The  implementation  needs  to  be  tested  on  a  wider  variety  of  examples.  This  would 
lead  to  a  better  understanding  of  the  verification  problems  that  occur  in  practice  and 
point  to  improved  heuristics.  A  more  detailed  performance  comparison  with  the  other 
verifiers  would  be  valuable,  especially  the  timing  approximation  methods  of  Alur  et 
al  and  Balarin  et  al. 

9.1.3  Other  problem  domains 

It  would  be  interesting  to  see  how  well  the  approximation  algorithm  works  when 
applied  to  systems  other  than  real-time  systems.  The  success  of  the  algorithm  for 
timed  systems  is  due  to  the  fact  that  timing  information  can  sometimes  be  clustered 
together  into  a  single  zone  without  including  timer  vectors  which  exhibit  different 
behavior. 

Given  a  different  problem  domain,  we  need  an  efficient  symbolic  representation 
and  approximation  operators  which  are  meaningful,  and  in  some  sense  likely  to  clus¬ 
ter  together  only  bisimilar  states.  We  suggest  possible  generic  operators  for  overap¬ 
proximation  and  underapproximation.  Given  a  domain  of  approximating  sets  for  a 
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problem,  the  overapproximating  operator  could  return  the  smallest  enclosing  approx¬ 
imating  set,  and  the  underapproximating  operator  its  right  operand  if  it  includes  the 
left  operand,  and  the  left  operand  otherwise. 

For  untimed  systems,  OBDDs  are  an  obvious  candidate  for  a  symbolic  represen¬ 
tation,  since  they  can  easily  represent  sets  of  states  and  next-state  relations.  One 
potential  set-up  for  the  algorithm  is  to  use  hypercubes  as  approximating  sets,  i.e. 
sets  which  can  be  defined  by  a  single  conjunction  of  literals.  The  operators  suggested 
above  result  in  (1)  overapproximating  by  taking  the  conjunction  of  all  positive  or  neg¬ 
ative  literals  which  appear  in  one  operand,  and  whose  negation  does  not  appear  in  the 
other,  and  (2)  underapproximating  by  taking  the  right  operand  iff  all  its  conjuncts 
appear  in  the  left  operand,  and  the  left  operand  otherwise.  Both  these  operations 
are  obviously  efficient  to  compute,  and  over  some  untimed  domains  they  may  be 
sufficiently  accurate. 

Hybrid  systems  [AHH93]  model  continuously  changing  variables  that  operate  un¬ 
der  a  finite  number  of  modes.  Variables  are  usually  modeled  as  satisfying  restricted 
forms  of  differential  equations.  They  are  more  general  than  real-time  systems,  where 
the  clocks  are  a  special  case  of  variables  all  increasing  at  a  fixed  rate.  Most  prob¬ 
lems  studied  in  this  domain  are  undecidable,  so  the  need  for  heuristic  algorithms  is 
even  greater  than  for  real-time  systems.  Already,  one  of  the  ideas  proposed  in  this 
thesis  has  been  applied  to  verifying  hybrid  systems.  Henzinger  and  Ho  [HH94]  use 
the  iteratively  refined  overapproximations  of  figure  2.4.  They  also  incorporate  useful 
widening  operators. 

9.1.4  Solving  other  problems 

We  believe  combining  overapproximation  and  underapproximation  information  to  re¬ 
fine  approximations  is  both  sufficiently  powerful  and  flexible  to  be  applied  successfully 
to  a  variety  of  problems  other  than  state-reachability.  We  are  investigating  the  prac¬ 
ticality  of  verification  of  more  general  real-time  processes  and  specifications  (such  as 
including  fairness),  not  just  real-time  safety  properties.  The  ideas  behind  the  algo¬ 
rithms  could  also  prove  fruitful  for  model-checking  logical  specifications.  Dams  et 
al  [DGG94]  show  how  various  abstractions  can  be  combined  for  model-checking  in  an 
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abstract  interpretation  framework.  However  they  provide  no  means  of  dynamically  re¬ 
fining  their  abstractions  if  they  prove  too  weak.  It  may  be  possible  to  extract  parame¬ 
terized  information  about  when  a  system  will  operate  correctly,  as  HaJbwachs  [Hal93a] 
does  for  his  single  overapproximations.  We  are  also  interested  in  applying  iterative 
approximation  to  real-time  controller  synthesis  algorithms  [WTH91,  HWT92a]. 

9.1.5  Analytic  analysis 

The  approximation  algorithm  proposed  is  clearly  a  heuristic.  It  would  be  of  tremen¬ 
dous  value  to  have  analytical  arguments  for  when  it  would  perform  well,  and  when  it 
would  not.  It  would  also  be  helpful  to  have  metrics  for  how  close  the  approximations 
are  to  convergence. 


9.2  Discussion 

We  believe  there  is  a  good  semantic  basis  for  the  permissible-join  heuristic  used  to 
refine  approximations.  The  performance  results  of  our  prototype  implementation  for 
real-time  systems  show  extremely  promising  results.  However  it  should  always  be 
remembered  that  the  algorithm  still  has  poor  worst-case  complexity,  exponentially 
worse  than  exact  explicit  analysis.  What  works  well  on  some  examples  could  do  ex¬ 
tremely  poorly  on  others.  Nevertheless  our  verifier  has  so  far  been  proven  consistently 
efficient. 

As  systems  grow  larger,  performing  an  exact  analysis  becomes  harder  and  harder. 
While  exact  enumerative  methods  have  the  theoretical  advantage  of  guaranteed  ter¬ 
mination  over  finite-state  systems,  they  are  restricted  in  a  very  practical  sense  by 
the  sizes  of  their  state-spaces.  It  will  become  more  important  to  have  methods  that 
do  not  exhaustively  enumerate  possibilities  which  may  not  be  necessary.  A  form  of 
clever  decision-making  is  required.  Our  policy  is  to  use  quick  and  simple  decisions 
designed  to  keep  the  size  of  the  approximations  small.  It  would  be  interesting  to  see 
whether  a  more  careful  analysis  using  greater  lookahead  would  pay  off  in  the  long 
run.  Another  desirable  property  of  a  verifier  is  that  progress  is  always  being  made 
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towards  a  solution.  The  approximation  method  here  is  an  attempt  to  combine  the 
ideas  of  approximate  analysis  with  the  ability  to  converge  towards  a  solution. 

Approximate  analysis  has  been  used  for  years  in  more  traditional  fields  of  engi¬ 
neering.  Typically  systems  are  described  using  continuous  variables,  and  differential 
equations  are  solved  to  determine  system  behavior.  Algorithms  are  designed  with  a 
step-size  parameter  that  dictates  how  accurately  the  system  is  tracked.  In  areas  of 
instability,  where  the  system  behavior  is  more  unpredictable,  a  finer  step-size  is  used. 
These  methods  have  been  tremendously  successful.  What  then  is  the  difficulty  in  us¬ 
ing  similar  ideas  for  verification?  Continuous  systems  have  compact  representations, 
often  so  do  discrete  systems  given  in  modular  format.  However  states  in  a  continuous 
system  can  be  said  to  have  similar  behavior  when  they  are  close  together,  whereas  the 
very  nature  of  discrete  systems  means  that  there  is  no  reliable  way  to  easily  detect 
when  two  discrete  states  have  similar  outgoing  behaviors.  The  approximation  method 
of  this  thesis  is  an  attempt  to  decide  exactly  when  “neighboring”  states  share  similar 
behavior,  and  to  approximate  more  finely  when  they  do  not. 
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